Re: signature based IDS/IPS effectiveness

On 10/01/2008, narccist tohell <mayur100@xxxxxxxxx> wrote:
Thanks Jamie and Stefano for noticing my issues,
90% of commercial database specific IDS/IPS systems do "signature
matching" exploit detection. They are stateless and mostly based on snort.
So does this mean that all they can do is stop public exploits. If someone
modifies the exploit then the signatures will fail and by that means the
appliances too ?

Hi there,

The IDS is there to tell you you've been compromised and need to take
action to sort it out. It doesn't in any way stop your database box
being compromised. I used to look after a large-ish network of some 5K
hosts and the thing that I noticed most often was outgoing portscans
and IRC traffic from boxes which had been owned. If possible, I like
to have the IDS run independently of the security arrangements for the
actual hosts.

I like to lock the network down so I'm pretty sure that the risk is
low. Then I use IDS to make sure my confidence is not misplaced - as a
sanity check if you like. Also, it is a great reassurance if other
people are changing configs of your network.

Metasploit v3 has pretty good IDS evasion code, especially for example
to do with browser exploits embedded in HTTP. Doesn't matter too much,
because most attackers, having owned a box will do very unstealthy
things like scan a /8 looking for more boxes to compromise, or join an
IRC channel. These secondary effects show up very well on snort with
portscan logging. Your IDS has actually detected the intrusion, as
it's meant to - although not as efficiently as it perhaps could have.

As for securing a DB box, I'm not an expert and tend to use postgresql
because I like it and it's free. I haven't played with IPS much
either, so can't help there either.

cheers,
Jamie
--
Jamie Riden / jamesr@xxxxxxxxxx / jamie@xxxxxxxxxxxxxxx
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • Re: Snort exploits
    ... He has given the IDS vendors several months heads up that this stuff is in the ... Odds are now that this info has gone out snort cvs will have fixes for this ... The TCP evasions are fairly easily detectable as overlaps should not normally occur. ... Similarly the IP fragmentation detection just needs slightly more rigorous ...
    (Bugtraq)
  • Re: Zone Alarm versus Sygate
    ... Not only is BlackIce looking at ... You see an attack will not ... IDS engine to be extremely elementary. ... So Sygate as well as BlackIce use a Signature Analysis IDS engine ...
    (comp.security.firewalls)
  • Re: How to choose an IDS/FW MSS provider
    ... What is the best way to evade an IDS? ... Open sigs for an IDS/IPS does more harm then good IMO. ... IE a SKILLED attacker wants to attack my network, ... what is out there, a closed signature set, and the ABILITY to add your ...
    (Focus-IDS)
  • RE: Best Method(s) for signature verifcation.
    ... if the IDS is trying to be "smart" it may not listen on ports ... listening in order to get the IDS to see an attack. ... > Subject: Re: Best Methodfor signature verifcation. ... > false positives ...
    (Focus-IDS)
  • RE: How to choose an IDS/FW MSS provider
    ... Andrew, I can't completely agree with you. ... their IDS - may be this is the reason for thinking that great amount FPs is ... to admin to do something or not. ... Thus my point - while seeing the details of a signature is fascinating ...
    (Focus-IDS)
Quantcast