RE: IDS detection approaches

["Nelson Brito" <nbrito () sekure org>]

> You are not talking about missing a vulnerable condition, you are
> talking about not handing a _non_ vulnerable condition. There is a very
> real difference that has practical solutions and side effects. Who cares
> if you can generate events for something on a stateless protocol that is
> "correct" but an unsuccessful attempt? It's a trivial post processing
> effort, a more real threat would be millions of real payloads requiring
> wetware analysis not perl. That is why endpoint analysis becomes
> important, not a trivially excluded meaningless payload.

I'm talking about both. When you don't have a real approach to detect a real
exploitation of any vulnerability you are opening a door for outsiders. It
does not matter if you are opened for false positive or false negative.

I believe that having a huge amount of false positive in middle of the
night, taking you from your bed, it is as bad as you keep sleeping while
someone bypasses your protection. Remember the little boy screaming "Wolf,
wolf, wolf..."

> Hobbyist signatures are for the hobbyist and hammers are for nails, you
> can still get a screw into wood with a hammer though.

I do agree if your statement, but what I see is that too many professionals
still are hobbyist and amateur when writing signatures or adopting old and
weak approaches for detection and protection.

> It is not that you are not being clear, I think that you are missing
> your point.

My point still is, from the beginning to now, the weakness of adopting
pattern matching as your primary and most important detection technology.
Period!!!

> Target the IPS all you want but do it with real payloads, BS known
> unsuccessful payloads are trivially post processed and thus entirely
> ineffective. You should use real payloads or achieve evasion so you at
> least force wetware analysis and/or endpoint intelligence.

Now, you are missing the point, because real payloads help you to attack the
target and fake payloads just boring you and mess with your relax.

I'm done and doing a filter to send all the rest to /dev/null.

Thanks the moderator and the rest of you for you patience with my posts in
this thread.

Best regards.

Nelson Brito
Senior IPS Engineer & Pen-tester


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------