On 09/01/2008, GMail <mayur100@gmail.com> wrote:
focus-ids,
How effective are signature based IDS/IPS systems on text based
protocols which involves grammar like PL/SQL. Using PL/SQL I can write same
query with different ways and different constructs that leads to different
query patterns. So does not that mean stateless signature based IDS/IPS
are useless for database servers, etc.
As you say, a Network IDS cannot do a good job of determining 'good'
SQL from 'bad' SQL in the general case, but then it's not really
designed to do that.
In a typical situation, you would have your DB server firewalled off
from all but a few hosts - typically your front-end servers. You make
sure the front-end servers are using the least privileges possible to
access the DB. Then you can create your IDS rules so that it alerts
you to attempted accesses to the DB that don't fit in with your
design. E.g. beware of large flows going from the DB server outside
your company, connection attempts to the DB server from outside your
company, lots of password guesses from the front-end servers to the DB
server.
cheers,
Jamie
--
Jamie Riden / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
