Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: signature based IDS/IPS effectiveness

from [Jamie Riden] Network Security [Permanent Link]
Subject: Re: signature based IDS/IPS effectiveness
Date: Thu, 10 Jan 2008 10:20:13 +0000 
On 10/01/2008, narccist tohell <mayur100@gmail.com> wrote:

Thanks Jamie and Stefano for noticing my issues,
  90% of commercial database specific IDS/IPS systems do "signature
matching" exploit detection. They are stateless and mostly based on snort.
So does this mean that all they can do is stop public exploits. If someone
modifies the exploit then the signatures will fail and by that means the
appliances too ?


Hi there,

The IDS is there to tell you you've been compromised and need to take
action to sort it out. It doesn't in any way stop your database box
being compromised. I used to look after a large-ish network of some 5K
hosts and the thing that I noticed most often was outgoing portscans
and IRC traffic from boxes which had been owned. If possible, I like
to have the IDS run independently of the security arrangements for the
actual hosts.

I like to lock the network down so I'm pretty sure that the risk is
low. Then I use IDS to make sure my confidence is not misplaced - as a
sanity check if you like. Also, it is a great reassurance if other
people are changing configs of your network.

Metasploit v3 has pretty good IDS evasion code, especially for example
to do with browser exploits embedded in HTTP. Doesn't matter too much,
because most attackers, having owned a box will do very unstealthy
things like scan a /8 looking for more boxes to compromise, or join an
IRC channel. These secondary effects show up very well on snort with
portscan logging. Your IDS has actually detected the intrusion, as
it's meant to - although not as efficiently as it perhaps could have.

As for securing a DB box, I'm not an expert and tend to use postgresql
because I like it and it's free. I haven't played with IPS much
either, so can't help there either.

cheers,
 Jamie
-- 
Jamie Riden / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: signature based IDS/IPS effectiveness, GMail
Next by Date:  RE: signature based IDS/IPS effectiveness, Nelson Brito
Previous by Thread:  Re: signature based IDS/IPS effectiveness, Paul Schmehl
Next by Thread:  VM of IPS/IDS solution, Andy . Kitzke
Indexes:  [Date] [Thread] [Top] [All Lists]