Snort mailing list archives
Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ?
From: Martin Holste <mcholste () gmail com>
Date: Tue, 10 May 2011 08:47:10 -0500
Rick, Thanks very much for weighing in on this thread.
About our IPS testing, there were some questions about attack surface. Our attack set includes exploits that return live shells against > 1200 CVSS 7+ vulns, and growing. So most of our content is relevant to typical enterprises. And this is the largest set of vulns in any test (10x the other labs). Includes client and server attacks against all major OS and apps and patch levels.  Less mainstream OS & apps? This is where custom testing becomes important. Lots of methodology info on our site. But then you need the right tools, vulnerable hosts and exploits…
That's great but sounds very server-exploit focused. Sure, you probably have a lot of client-side exploits in there, but if you were to read through the engine discussions on this list for the last year, you'll find that the majority of them are regarding a combination of the stream preproc (which I'm sure NSS does an excellent job testing) and the HTTP preproc (which I'm not so sure you do a good job at testing). Specifically, I'm a lot less concerned with packet fragmentation and flow reversal than I am making sure that a piece of an HTTP header ends up in the right buffer so the correct signature fires. My team focuses primarily on hunting malware-infected machines, which means that the vast majority of our actionable alerts are on HTTP GET and POST requests to bad guy sites. On any given day, our users have about a 1% chance of being subjected to an ad-banner-based browser exploit. Of these hundreds of daily exploit attempts, less than 1% succeed all the way to check-in. As such, we don't have resources to worry about exploits, and frankly we don't care. We already know the client is going to get attacked at least quarterly. We focus on finding the successful infections so we can nuke them from orbit before they cause problems. So my question to you is this: what is NSS doing in its testing batteries to evaluate how well products are finding malware check-ins and/or data exfiltration versus exploitation? ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- NSS Labs : CheckPoint 97.3% recommended profile hoax ? Crusty Saint (May 05)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Joel Esler (May 05)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? firewalZ (May 09)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Nigel Houghton (May 09)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? beenph (May 09)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Martin Holste (May 09)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Crusty Saint (May 09)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Nigel Houghton (May 09)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Jason Brvenik (May 09)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Crusty Saint (May 09)
- <Possible follow-ups>
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Rick Moy (May 10)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Martin Holste (May 10)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Seth Hall (May 10)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Paul Halliday (May 10)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Martin Holste (May 10)
- Re: NSS Labs : CheckPoint 97.3% recommended profile hoax ? Crusty Saint (May 11)