Bugtraq mailing list archives
Re: [Snort-devel] Re: Re: Snort exploits
From: Fyodor <fygrave () tigerteam net>
Date: Thu, 18 Apr 2002 15:10:18 +0700
0xcafebabe () hushmail com <0xcafebabe () hushmail com> spoke:
On Wed, 17 Apr 2002 04:07:31 +0000, Dragos Ruiu <dr () kyx net> wrote:Basically all the chaffing at the IP and TCP level is detectable as those should not be normal conditions. Look to snort cvs over the next few days for solutions to these issues...That's good to know. But why has it taken 3 months to fix? I wonder what I've been missing during those 3 months. :(
You still are missing the stuff. A Network based IDS concept is by design not capable of capturing %100 of all potential threats. The place of NIDS should be made clear in your network security defence scheme: it will alert you in most of the cases if kiddies poke around your network, but may not even notice someone who is seriously trying to get in unnoticed. At the end of the day the burglar alarms keep away only amateurs. There are heaps of things which a dedicated intruder could play with: application specific bugs, encrypted channels (ssl, ssh, vpn, ..), various tcp/ip stack specific issues (tcp stack overlaps which are handled differently by each TCP/IP stack, frags, transmission timeouts, corrupted datagrams, ttl games), you never know how broken a TCP/IP stack or an application is. Even a perfect NIDS would not be able to handle all these things real time according to each of the protected systems specifics. If you were not aware of that, it's time to stop whinning and do some research before complaining. Traffic normalizers, ssl accelerators and other kind of similar stuff is what you may be looking into for help. After all, an IDS would just tell you that they 0wn you, but they still 0wn you, if they can! Hope it makes things a bit more clear. -FY -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1
Current thread:
- Re: [Snort-devel] Re: Re: Snort exploits Fyodor (Apr 18)