IDS mailing list archives
Re: newbie quetsions
From: Jason <security () brvenik com>
Date: Thu, 06 Jan 2005 03:21:26 -0500
Dave Aitel wrote:
Although, keep in mind, Snort completely fails the CRI test, and does horrible TCP reassembly, let alone SMB or MSRPC reassembly. It just isn't up to the job of detecting an attacker who's gone to some work to bypass this sort of thing.
This statement is misleading and implies that there are systems that do better and can stand up to the same assault. A better statement mightbe, there is no IDS/IPS up to the job of detecting the attacker who's gone to some work to bypass it.
The reality is that every IDS has evasion potentials and if you are able to control the environment enough that you can influence the view of the network then you can win, as simple as that. Lets put it out there for consideration. - All major IDS players fail in the MSRPC space when challenged with a capable attacker. - No IDS can handle proper TCP state tracking when confronted with acapable attacker. If you are not constrained by 5 hops between you and the endpoint with at least one of those endpoints being a system charged with noise elimination ( Checkpoint, PIX, iptables, screen router... ) you can own any state machine.
- All major players will fail to detect XYZ when confronted with the challenge presented by ABC in a controlled environment. Even the supposed inline _normalizing_ systems can be evaded in these ways and unless you have an astute network staff with a very capable security staff backing it up you are not going to win against the attacker that is paid to sit down and attack you until they get what they are looking for.Moving beyond the detection space. Active technologies suffer from the same shortcomings in that they must make compromises to achieve a larger goal. IIRC Canvas will report success on an Win32 Apache Chunked encoding attack against a FreeBSD Apache server, for example.
The moral of the story is that you have decisions to make and with open source you at least have an opportunity to make a difference. With all of the systems that compete with Snort you have no opportunity to make a difference unless you have a few million dollars and staff capable of isolating a problem. I can tell you from experience that everyone that I compete with cannot stand up to controlled environments and advanced evasion tactics.
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: newbie quetsions Jose Maria Lopez (Jan 03)
- <Possible follow-ups>
- Re: newbie quetsions Jason (Jan 06)
- Re: newbie quetsions Dave Aitel (Jan 06)
- Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions (on how much Snort sucks) Dave Aitel (Jan 11)
- Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions Dave Aitel (Jan 06)
- RE: newbie quetsions Julius Detritus (Jan 12)
- Re: newbie quetsions Rainer Duffner (Jan 17)
- About IPS testing (was: newbie quetsions) Julius Detritus (Jan 19)
- Re: About IPS testing Tod Beardsley (Jan 24)