Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS evaluations procedures

from [Mike Frantzen] Network Security [Permanent Link]
Subject: Re: IDS evaluations procedures
Date: Mon, 18 Jul 2005 10:29:06 -0400 


An example would be to use an IPS to force all HTTP requests to have the host 
header www.xyz.com (your sites URL) this will stop a significant proportion 
of HTTP noise before signature matching.


As IPS developers we have to be very careful with IPS optimizations like
this. They work well in some sites but break horribly in others.

Your example will block most HTTP/1.0 requests that don't require a
Host: header. Many upness checkers won't bother with a well formed HTTP
request so your site will appear down and someone may get paged and get
very cranky figuring out why everything works but the website-is-up
checker. Likewise it will run into a cold-start problem when a
connection is already live and sent the packet containing the Host:
header just before the IPS began monitoring.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: NetIQ Security Manager: Is it a good product for IDS on windows?, Mark Teicher
Next by Date:  SID HIDS 0.4.2 released, harald
Previous by Thread:  Re: Firewalls (was Re: IDS evaluations procedures), Devdas Bhagat
Next by Thread:  RE: IDS evaluations procedures, Nathan Davidson
Indexes:  [Date] [Thread] [Top] [All Lists]