RE: signature based IDS/IPS effectiveness

["Nelson Brito" <nbrito () sekure org>]

Hi, fellows!!!

GMail, is depends on how the IDS/IPS approaches the detection of any or all
vulnerabilities. About two months ago, maybe more, I got a discussion about
the thread regarding pattern matching weakness.

Some of the IDS/IPS technology still uses the pattern matching as their
primary technology, using others technologies helping to decrease the
false-positives or even increasing the detection of false-negatives.

If you can configure customized signatures to detect a real vulnerability
you will be able to stop the annoying false-positives. And when I say
signatures to detect vulnerability I'm not talking about the detection of
the return-address, the detection of the shellcode, etc...

If you are able to tell your IDS/IPS to detection a buffer size, not NULL,
with all the variables the vulnerability must have to become exploitable...
So you are able to do whatever you want.

Best regards.

Nelson Brito (f.k.a. stderr)
Sekure SDI's Member since 1999
 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of GMail
> Sent: Thursday, January 10, 2008 8:02 AM
> To: Jamie Riden
> Cc: focus-ids () securityfocus com
> Subject: Re: signature based IDS/IPS effectiveness
>
> Thanks Jamie and Stefano for noticing my issues,
>   90% of commercial database specific IDS/IPS systems do 
> "signature matching" exploit detection. They are stateless 
> and mostly based on snort. So does this mean that all they 
> can do is stop public exploits.
> If someone modifies the exploit then the signatures will fail 
> and by that means the appliances too ? 
>    Limiting privileges to minimum required levels and 
> installing minimum required of modules on databases will 
> definitely reduce the risk ratio, but is it sufficient? What 
> about vulnerabilities by which normal user can get superuser 
> privileges or carry out DOS on database services. Is there 
> any way to stop these kinds of attacks? Which would be the 
> best available database security product to handle all these issues?
>
>
> --------------------------------------------------------------
> ----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to 
> http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=intro_sfw 
> to learn more.
> --------------------------------------------------------------
> ----------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------