Re: Cisco IOS Shellcode - McAfee IPS Protection
From: Martin Roesch (roesch_at_sourcefire.com)
Date: 08/09/05
- Previous message: snort user: "TCP Sack processing"
- In reply to: Ron Gula: "Re: Cisco IOS Shellcode - McAfee IPS Protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 8 Aug 2005 19:07:10 -0400 To: Ron Gula <rgula@tenablesecurity.com>
On Aug 8, 2005, at 1:22 PM, Ron Gula wrote:
> I think most of them are relying on existing technology. For example,
> a quick check of snort.org and bleedingsnort.org didn't have any new
> cisco-specific rules, yet there are signatures to detect various Cisco
> attacks already.
We stopped looking for shellcode with Snort years ago, we focus our
rule development efforts on detection of people exercising the
protocols improperly instead of looking for specific signatures
whenever possible. Our existing Cisco rules most likely need to have
the messages updated from "DoS" to "exploit", that's about it.
Playing the shellcode detection game is a dead end unless that's all
you've got.
-Marty
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Network Defense for the Real World - http:// www.sourcefire.com Snort: Open Source Intrusion Detection and Prevention - http:// www.snort.org ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
- Previous message: snort user: "TCP Sack processing"
- In reply to: Ron Gula: "Re: Cisco IOS Shellcode - McAfee IPS Protection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
