RE: IDS detection approaches

It is trivial to filter out post fact and is not normally occurring, I
consider the alert successful at detecting nefarious activity. Simple,
practical, effective.

I do sorry you have this idea, because it is dangerous and you sub
estimating your "enemy".

I sent just one example and the point is not the example itself, the point
is the way the pattern matching IDS/IPS approaches the signature design. The
pattern matching, in their concept, limits you to check a pattern. That is
the point, because if you miss any vulnerable condition when detect /
protect then you will miss the accuracy of the detection. This is well known
by years.

We are talking right past each other here. So what if it is a null
payload, if your goal is resource exhaustion then use a real payload.
You have achieved absolutely nothing using the null payload, except
perhaps to make it easily filtered out of your result set.

No, I disagree, we are not talking right past each other here, we are
talking about different things here and I suppose I'm not be clear enough or
I really need to get back my English classes. :D

The resource exhaustion does not target the SQL, it targets the IPS. If you
launch this attack against the SQL, it will send you back a valid answer for
your request just if you are really using a SQL in the test environment,
because this kind of attack does not depend on SQL and you can run packets
targeting any IP address protected by the IPS and it still reports the false
positive.

That said I presume you now understand my point, otherwise I do refuse to
keep this thread alive.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: IDS detection approaches
    ... consider the alert successful at detecting nefarious activity. ... The resource exhaustion does not target the SQL, ... Target the IPS all you want but do it with real payloads, ...
    (Focus-IDS)
  • RE: SQL injection attacks
    ... You are stating asking questions to the server - this imples a response. ... As I have stated - the attack is not totally blind - you see the results in your example. ... This was posted in regards to comments about SQL injection over OCR or certain IVR's. ...
    (Pen-Test)
  • Re: Sql ce server process
    ... We are unlikely to target another platform until WM7 ... My plan is not to try to use sql in any more robust of a fassion than was ... load on the database that is any more heavy than the load that exists today, ...
    (microsoft.public.sqlserver.ce)
  • Re: ADO.NET questions
    ... Sure, you can use XML to move data to and from SQL Server, but it's very ... >>> have a way to export rows from a few tables from one users computer to ... >>> email xml file to another user) ... >>> 5)Create SQLDataAdapter on target computer. ...
    (microsoft.public.dotnet.framework.adonet)
  • Problem rebuilding node: Kerberos error on target node
    ... SQL 2005 Standard Ent SP1 installed. ... Active/Passive Cluster setup ... On the target Node I am getting a Kerberos error ... The target name used was cifs/XXXXXX. ...
    (microsoft.public.sqlserver.clustering)