IDS mailing list archives
Re: Cisco IOS Shellcode - McAfee IPS Protection
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 8 Aug 2005 19:07:10 -0400
On Aug 8, 2005, at 1:22 PM, Ron Gula wrote:
I think most of them are relying on existing technology. For example, a quick check of snort.org and bleedingsnort.org didn't have any new cisco-specific rules, yet there are signatures to detect various Cisco attacks already.
We stopped looking for shellcode with Snort years ago, we focus our rule development efforts on detection of people exercising the protocols improperly instead of looking for specific signatures whenever possible. Our existing Cisco rules most likely need to have the messages updated from "DoS" to "exploit", that's about it. Playing the shellcode detection game is a dead end unless that's all you've got.
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http://
www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - http://
www.snort.org
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Cisco IOS Shellcode - McAfee IPS Protection Joel Esler (Aug 08)
- Re: Cisco IOS Shellcode - McAfee IPS Protection Ed Gibbs (Aug 08)
- Re: Cisco IOS Shellcode - McAfee IPS Protection Ron Gula (Aug 09)
- Re: Cisco IOS Shellcode - McAfee IPS Protection Ron Gula (Aug 08)
- Re: Cisco IOS Shellcode - McAfee IPS Protection Martin Roesch (Aug 09)
- Re: Cisco IOS Shellcode - McAfee IPS Protection Ed Gibbs (Aug 08)