lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.58.0509280644360.15488@kungfunix.net>
Date: Wed Sep 28 12:01:52 2005
From: sil at infiltrated.net (J. Oquendo)
Subject: Suggestion for IDS


On Wed, 28 Sep 2005 Valdis.Kletnieks@...edu wrote:

In a nutshell I would go with Sentivist.
http://www.nfr.com/solutions/download/HotPick-IPS-Review.pdf

For brief summaries of some other products:
http://www.networkintrusion.co.uk/inline.htm

> All depends on the inbound packet rate, how fast the IDS is, and how
> much RAM you're willing to buy.  Just remember that a sufficiently long
> queue is in itself a denial of service... ;)

A possible even worse threat is an out of sync admin :O

> Just remember to configure the thing sensibly - it's amazing how many
> people manage to shoot themselves in the foot, and find out the hard way
> that yes, Virginia, there ARE people out there that will forge packets
> with the source IP address of the victim's nameserver... ;)

Many IPS' whether it's a HIP or NIP have (or at least should have)
capabilities of assessing "0-day" threats and generating rules off of
them. Even for those *PS products that do, those same "out of sync" admins
will get lost in the sauce no matter what they buy. Personally I think it
becomes the job of the admin to assess threats and stay in tune with
what's going on in the industry. Keep up to date with any new threats and
step it up from there. "THAT" however becomes a bump in the road since too
many admins are lazy.

> It's *very* important to talk about definitions - there's waaay too many
> people who buy an IDS and think that by hooking it to the net, it
> magically becomes an IPS.

Way too many people also have become accustomed to dropping dollars on the
table of INSERT_CORP_HERE thinking they can buy an all inclusive security
solution only to find that it failed.

> An equally great number buy some IPS or other, and find out the hard way
> that they don't block a 0-day or a new worm.....

I'd say from my own experience that someone WITH experience can craft
their own IPS of an IDS and call it a day saving money for their company
and possibly creating something equal if not better to some products. On
my little network at work I've managed to substitute many products and
appliances for what's freely available on the open source scene with some
carefull thought out and diagrammed programs that I audit pretty much
daily.

There's nothing better for me to be able to modify something too my needs
then it is to sit and wait until vendor_x's next release because they
didn't implement something. It's also better for me to be able to add a
line or two based on some thread of a new attack as opposed to sitting
around and waiting for vendor_x to verify if something is a threat or not.

While I do agree with the statement made "Quite frankly, anybody who
already has a PIX installed and wants to install an IPS needs to quantify
*exactly* what protection the PIX is failing to provide before they go
shopping for anything" to a degree, I also disagree with that statement
since it eludes to the thinking that solely a PIX will save your ass. It
won't, nor will any other firewall, nor will any other product combined
with any OTHER product and so on.

/* REDUNDANT COMMENT */ "You are the  weakest link..." People fail
miserably. Products can only do what they're told but no matter how many
acronymed buzzwords you want to throw around "Super Hip Intelligent
Threading", it's still SHIT unless you have the ability do use your own
common sense, experience knowledge, etc.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x97B43D89
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89

"Just one more time for the sake of sanity tell me why
 explain the gravity that drove you to this..." Assemblage

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ