IDS mailing list archives
RE: IDS detection approaches
From: "Nelson Brito" <nbrito () sekure org>
Date: Fri, 12 Oct 2007 14:05:28 -0300
It is trivial to filter out post fact and is not normally occurring, I consider the alert successful at detecting nefarious activity. Simple, practical, effective.
I do sorry you have this idea, because it is dangerous and you sub estimating your "enemy". I sent just one example and the point is not the example itself, the point is the way the pattern matching IDS/IPS approaches the signature design. The pattern matching, in their concept, limits you to check a pattern. That is the point, because if you miss any vulnerable condition when detect / protect then you will miss the accuracy of the detection. This is well known by years.
We are talking right past each other here. So what if it is a null payload, if your goal is resource exhaustion then use a real payload. You have achieved absolutely nothing using the null payload, except perhaps to make it easily filtered out of your result set.
No, I disagree, we are not talking right past each other here, we are talking about different things here and I suppose I'm not be clear enough or I really need to get back my English classes. :D The resource exhaustion does not target the SQL, it targets the IPS. If you launch this attack against the SQL, it will send you back a valid answer for your request just if you are really using a SQL in the test environment, because this kind of attack does not depend on SQL and you can run packets targeting any IP address protected by the IPS and it still reports the false positive. That said I presume you now understand my point, otherwise I do refuse to keep this thread alive. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS detection approaches, (continued)
- RE: IDS detection approaches 'Merigoth' (Oct 09)
- Re: IDS detection approaches Liran Cohen (Oct 15)
- Oracle XDB FTP Kanagasingham, Prathaben (Oct 26)
- RE: IDS detection approaches 'Merigoth' (Oct 09)
- RE: IDS detection approaches Nelson Brito (Oct 09)
- Re: IDS detection approaches Sec urity (Oct 09)
- RE: IDS detection approaches Nelson Brito (Oct 10)
- Re: IDS detection approaches Sec urity (Oct 10)
- Message not available
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Jason (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 15)
- Re: IDS detection approaches Jason (Oct 15)
- Re: IDS detection approaches Sec urity (Oct 09)
- Re: IDS detection approaches Gary Halleen (Oct 15)
- RE: IDS detection approaches Marcio (Oct 18)