Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS vs. IPS deployment feedback

from [Basgen, Brian] Network Security [Permanent Link]
Subject: RE: IDS vs. IPS deployment feedback
Date: Mon, 10 Apr 2006 15:10:28 -0700 
Paul,

 Thanks for your response. I'd love to hear you qualify differences a bit
more. 

 Every IPS ships in "silver bullet" mode with a certain set of recommended
protections activated -- the understanding being that these signatures have
extremely low false positives. Yet, these IPS have a larger signature base
that, if enabled, can stop both threats and normal traffic. Naturally, they
aren't enabled because the product is, after all, a silver bullet; like your
ISS Proventia claims. ;)

 I think metrics would be interesting here -- whether numeric or
qualitative. You explained poor SMB and MSRPC parsers in snort, and that is
interesting data. While I'm interested in getting the details as to where
Snort is imperfect, I'm also interested in getting better qualitative data
on the IPS/IDS divide. How much can the IPS drop without false positives,
versus how much can an IDS detect (with, of course, false positives). Put in
another way, how many false negatives can get through a default IPS? 

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College

-----Original Message-----
From: Palmer, Paul (ISSAtlanta) [mailto:PPalmer@iss.net] 
Sent: Monday, April 10, 2006 1:38 PM
To: Basgen, Brian; focus-ids@securityfocus.com
Subject: RE: IDS vs. IPS deployment feedback

Brian,

I work in ISS' research department. This puts me in a somewhat unique
position to answer your question.

One example is the signature coverage for MS05-039/CVE-2005-1983. When the
vulnerability was initially announced, the SNORT community (I do not know
which exact group created these signatures) added approximately 300
different signatures to provide vulnerability-based coverage for the
vulnerability. That is to say, these were not 300 different overlapping
signatures from a variety of sources all designed to solve the same problem.
These were a single group of 300 signatures designed to work in concert to
provide protection against unknown exploits (no known exploits existed at
the time that these signatures were added.)

The fact that 300 signatures were necessary was due to weaknesses of the
SNORT engine itself (it doesn't have a proper MSRPC parser), not the
research community. Even so, judging from what is lacking in the 300
signatures, it seems extremely likely that the SNORT research community is
unaware of all of the different vectors through which the vulnerability can
be exploited since they could have easily added coverage for these had they
been aware of them. It also seems likely that the research community is
unaware of all of the evasion techniques available via MSRPC and SMB as
there are evasions for which I have never seen SNORT signature coverage.

It is interesting to note that once a proof of concept exploit became
available, the 300 signatures disappeared and were replaced by a small
number of signatures to just provide coverage for the known proof of concept
exploits.

ISS, which has proper SMB and MSRPC parsers, needed to add only one
signature to provide vulnerability-based coverage for the buffer overflow
attack (there is another signature for a related, but different DoS-only
vector). Other vendors vary in the number of distinct signatures they
require for coverage. However, I have seen none that come close to the ~300
fielded by SNORT.

Paul

-----Original Message-----
From: Basgen, Brian [mailto:bbasgen@pima.edu]
Sent: Friday, April 07, 2006 12:28 PM
To: focus-ids@securityfocus.com
Subject: RE: IDS vs. IPS deployment feedback


Andrew,


some technologies, one signature handles an entire class of

vulnerabilities. Where Snort 

needs multiple signatures for the same vulnerability, ISS can protect

against the 

vulnerability with 1 signature. TP is the same.

 
 Interesting. Can you show me an example of this? I'd like to understand
the design differences that lead the snort signature base to be as
ineffecient as you describe.


ISS, for example, does their own independent security research an has

signatures to 

protect against things that Snort people don't even know about.


 I don't understand how this differs from the Sourcefire Vulnerability
Research Team. Can you provide some details, specific examples, of where
the Sourcefire VRT has failed and the ISS research has succeeded?

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Simulating Retransmissions, Mike Gibson
Next by Date:  Re: IDS vs. IPS deployment feedback, Aaron
Previous by Thread:  Re: IDS vs. IPS deployment feedback, Frank Knobbe
Next by Thread:  RE: IDS vs. IPS deployment feedback, Palmer, Paul (ISSAtlanta)
Indexes:  [Date] [Thread] [Top] [All Lists]