IDS mailing list archives
RE: Signatures taking down network
From: "Mike Barkett" <mbarkett () nfr com>
Date: Fri, 20 Jan 2006 19:44:43 -0500
David - I'll throw the NFR hat in the ring. In this case, my opinions ARE reflective of my employer's, and some product plugging does need to be done. :) First, check with your 3com/TP rep to make sure you have all the updates and everything is configured properly. This is a nightmare scenario for any IPS vendor, and TP has already gotten a lot of bad press to which I believe they have adequately responded. Second, this underscores the value of a truly hybrid approach (stateful sigs fused with protocol anomaly detection) for two reasons: 1) Products that utilize true "0-day" type prevention require less updates. Not zero updates, but less. The WMF example is already played out, so I will use another recent one. The "Qualcomm WorldMail IMAP Server String Literal Processing Overflow Vulnerability" came out some time around 12/20/05. NFR Sentivist detected and prevented this by default. No signature update required. A less advanced system may have required another sig, which could have meant another opportunity for a bug. 2) A vendor with an engine like NFR's has to scramble much less than one that must go into reaction mode. Your question about QA applies here. If a vendor releases a sig based on a vulnerability, well before a proof of concept exists, then they have a little more breathing room to QA it properly. With the WMF bug (sorry), we saw a negative patch gap; that is, a public exploit was released well before the OS was patched. This meant that, from the very beginning, the average Joe IT Guy was in a race with the average Joe Script Kiddie, and the script kiddie got a head start. It also meant bad news for any reactive IPS vendors that needed to accelerate their QA processes in order to continue protecting their customers. Just one vendor's $0.02... -MAB -- (nfr)(security) Michael A Barkett, CISSP Vice President, Systems Engineering (www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512 -----Original Message----- From: David Williams [mailto:dwilliamsd () gmail com] Sent: Saturday, January 14, 2006 9:04 AM To: focus-ids () securityfocus com Subject: Signatures taking down network I'm evaluating a Tipping Point box and after gettting the latest signatures I'm having problems with the box "crashing". My goal is not to bash Tipping Point, but instead to gather information on how often people have seen this type of thing among IPS boxes. Is there a trend with vendors to roll out signatures as fast as possible without proper QA? This brings up a lot of questions about deploying IPS. I want two opposite things from my vendors: 1) I want the latest signatures super fast. 2) I want proper QA so that it doesn't bring down my network. I realize those two things are contradictory, but I thought I'd throw it out there to see if anybody had any thoughts. thanks, d ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Signatures taking down network David Williams (Jan 16)
- Re: Signatures taking down network Ramon Kagan (Jan 16)
- Re: Signatures taking down network Paul Schmehl (Jan 16)
- Re: Signatures taking down network Dhruv Soi (Jan 17)
- RE: Signatures taking down network Mike Barkett (Jan 24)
- <Possible follow-ups>
- RE: Signatures taking down network Craddock, Larry (Jan 16)
- RE: Signatures taking down network Palmer, Paul (ISSAtlanta) (Jan 18)
- Re: Signatures taking down network Sam Evans (Jan 18)
- Message not available
- Re: Signatures taking down network Sam Evans (Jan 21)
- Re: Signatures taking down network Sam Evans (Jan 18)
- RE: Signatures taking down network Palmer, Paul (ISSAtlanta) (Jan 18)
- RE: Signatures taking down network Ghetti, Tim (Jan 19)
- RE: Signatures taking down network Gary Halleen (ghalleen) (Jan 21)