Re: Intrushield vs ISS
From: Matthew LeGrow (mlegrow_at_nfr.com)
Date: 01/03/05
- Previous message: Phil Hollows: "RE: IDS event filtering"
- Next in thread: Dave Aitel: "Re: Intrushield vs ISS"
- Reply: Dave Aitel: "Re: Intrushield vs ISS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 03 Jan 2005 14:05:44 -0500 To: focus-ids@securityfocus.com
Dave Aitel wrote:
> Interesting, because this means Intrushield must parse MSRPC and SMB
> correctly. This is actually quite rare in an NIDS or NIPS. It'd be good
> to see what NFR and some of the other heavy hitters do.
>
For NFR Sentivist, we reassemble MSRPC fragments before analyzing the
traffic, including MSRPC over SMB and web (via CIS). Any anomalies in
MSRPC fragment reassembly will also kick off alerts.
A pseudo-whitepaper written to help teach N-Code function callbacks
appeared in our last quarterly newsletter here and describes the MSRPC
over SMB interaction in some detail:
http://www.nfr.com/newsletter/fall-04/AdvancedN-CodeFUCallbacksPackageIntegration.htm
-- Matt LeGrow NFR Rapid Response Team =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | 800-234-4079 (nfr)(security) Fax:240-632-0200 | | http://www.nfr.com/solutions/rapidResponse.php | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: Phil Hollows: "RE: IDS event filtering"
- Next in thread: Dave Aitel: "Re: Intrushield vs ISS"
- Reply: Dave Aitel: "Re: Intrushield vs ISS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
