Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: newbie quetsions

from [Jason] Network Security [Permanent Link]
Subject: Re: newbie quetsions
Date: Thu, 06 Jan 2005 03:21:26 -0500

Dave Aitel wrote:
Although, keep in mind, Snort completely fails the CRI test, and does horrible TCP reassembly, let alone SMB or MSRPC reassembly. It just isn't up to the job of detecting an attacker who's gone to some work to bypass this sort of thing.

This statement is misleading and implies that there are systems that do
better and can stand up to the same assault. A better statement might
be, there is no IDS/IPS up to the job of detecting the attacker who's gone to some work to bypass it.

The reality is that every IDS has evasion potentials and if you are able
to control the environment enough that you can influence the view of the
network then you can win, as simple as that.

Lets put it out there for consideration.

- All major IDS players fail in the MSRPC space when challenged with a
capable attacker.

- No IDS can handle proper TCP state tracking when confronted with a
capable attacker. If you are not constrained by 5 hops between you and the endpoint with at least one of those endpoints being a system charged with noise elimination ( Checkpoint, PIX, iptables, screen router... ) you can own any state machine.

- All major players will fail to detect XYZ when confronted with the
challenge presented by ABC in a controlled environment.

Even the supposed inline _normalizing_ systems can be evaded in these
ways and unless you have an astute network staff with a very capable
security staff backing it up you are not going to win against the
attacker that is paid to sit down and attack you until they get what
they are looking for.

Moving beyond the detection space. Active technologies suffer from the same shortcomings in that they must make compromises to achieve a larger goal. IIRC Canvas will report success on an Win32 Apache Chunked encoding attack against a FreeBSD Apache server, for example.

The moral of the story is that you have decisions to make and with open source you at least have an opportunity to make a difference. With all of the systems that compete with Snort you have no opportunity to make a difference unless you have a few million dollars and staff capable of isolating a problem. I can tell you from experience that everyone that I compete with cannot stand up to controlled environments and advanced evasion tactics.



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IDS CISCO alarm, Julio Crespo
Next by Date:  RE: Intrushield vs. ISS once more..., Chris Brown
Previous by Thread:  Re: newbie quetsions, Jose Maria Lopez
Next by Thread:  Re: newbie quetsions, Dave Aitel
Indexes:  [Date] [Thread] [Top] [All Lists]