Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 060863.html (Request Expert securityfocus.com Support)

RE: IDS, IPS or just rubbish?

From: Golomb, Gary <GGolomb(at)enterasys.com>
Date: Wed Jun 25 2003 - 07:50:43 EDT

>
> They kept telling me about SQL Slammer and how this solution will stop
it.
> What utter crap. Can anyone on this list tell me of a signature-based
IDS
> which picked Slammer up in the 2-odd hours it needed to propogate?

All the major ones did. It was an automated exploit for an older vulnerability - as all worms are. Our phones were ringing off the hook from customers who had a sharp increase (understatement) in alerts for that MS-SQL vulnerability. The most interesting one I can think of along these lines [off-hand] was Code Red. It was based on a vulnerability only announced two weeks beforehand. In that case, the only IDSs that detected it were the ones that have quick turn-around times on releasing updates for new vulnerabilities.

It sounds like you're referring to pattern matching as signature-based analysis. Don't be so quick to dismiss it as irrelevant, for Checkpoint, us, or otherwise. How do you think most IDSs on the market are able to identify anything specific without identifying patterns in packets? With the scenario quoted above, it's more important to be concerned about the team they have analyzing and researching new threats. Code Red illustrates that point well. Based on what we saw, many vendors had not released updates for the IIS vulnerability before the worm started spreading, so many other IDSs did not detect anything (protocol decoding or otherwise). Sure better methods exist nowadays for generic alerting to overflows of this type - which is great for finding new exploits for those types of vulns. However, based on historical performance it's not going to buy you anything when the next worm d'jour derived from a new (or unaccounted for) vulnerability starts spreading again.

My myopic two cents, as usual-

-gary

ps - Your email was great! It's awesome when people raise the BS flag AND do it in such a "candid" manner! ;)


Gary Golomb
Senior Research Engineer
Intrusion Detection Group
Enterasys Networks  

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
Received on Wed Jun 25 10:12:50 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:15 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library