Re: Signatures taking down network
- From: Dhruv Soi <dhruv_ymca@xxxxxxxxx>
- Date: Mon, 16 Jan 2006 10:51:44 -0800 (PST)
There are many parameters involved for bringing up
such situation.
1. Firstly, yes Signature QA testing might have
skipped or problems found during testing might have
been ignored due to severity of threat for which the
signatures were created in that release.
2. Testing might have happened on different product
from the one which you are using. Coz when
signature(s) for a newly discovered critical
vulnerability are added and due to pressure of
deilvering the signature pack super fast, its not
always feasible to test same signature pack against
20different products/versions.
3. Vendor might have used different test environment
for testing. For example, vendors might have tested
the signature pack by configuring a dummy network on
IDS/IPS running 2-3domains. But in live environment
you might have few 100s of different domains
configured.
4. Vendor might have tested the signatures just for
accuracy/syntax/working/attack blocking and might have
skipped the performance testing of IPS after including
new signatures with older set.
There could be many more reasons....And its not the
case of "xxx" vendor, these problems can be with any
IPS vendor. But ofcourse its a serious problem and
vendors should pay high attention to QA rather than
increasing the signature count. Coz no one would like
to make his/her machine secure by plugging out the
network cable.
-Dhruv
--- David Williams <dwilliamsd@xxxxxxxxx> wrote:
> I'm evaluating a Tipping Point box and after
> gettting the latest
> signatures I'm having problems with the box
> "crashing". My goal is
> not to bash Tipping Point, but instead to gather
> information on how
> often people have seen this type of thing among IPS
> boxes.
>
> Is there a trend with vendors to roll out signatures
> as fast as
> possible without proper QA? This brings up a lot of
> questions about
> deploying IPS. I want two opposite things from my
> vendors: 1) I want
> the latest signatures super fast. 2) I want proper
> QA so that it
> doesn't bring down my network. I realize those two
> things are
> contradictory, but I thought I'd throw it out there
> to see if anybody
> had any thoughts.
>
> thanks,
>
> d
>
>
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
>
------------------------------------------------------------------------
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- References:
- Signatures taking down network
- From: David Williams
- Signatures taking down network
- Prev by Date: RE: Signatures taking down network
- Next by Date: Re: HIDS/HIPS Selection Process
- Previous by thread: Re: Signatures taking down network
- Next by thread: RE: Signatures taking down network
- Index(es):
Relevant Pages
|
