lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 08 Oct 2009 16:06:30 -0400
From: Valdis.Kletnieks@...edu
To: srujan <srujan82@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Attack pattern selection criteria for IPS
	products

On Fri, 09 Oct 2009 00:47:24 +0530, srujan said:

> What is the vulnerability selection criteria of Tipping Point, Juniper IPS
> products.
> 
> Is it covering each and every CVE ID or is it selecting particular kind of
> attacks. If so what is selection criteria (cvss score or severity level or
> most publicly exploited)

If the answer isn't "customer network admin selects it", the products are
broken and brain damaged.  Different sites have different security stances,
and different opinions regarding the trade-off between the added security
benefit and the throughput and latency hits you take.

Even within a site, the trade-offs may vary.  I have some machines that
are actually air-gapped, some that are heavily firewalled, and some that
are lightly firewalled - and there's probably some Snort sensors and honeypots
too.. ;)

If you're asking for "what pre-canned detection rules they come with", it's
probably "all the known vulns that we can figure out how to write a Snort
rule that doesn't suck resources". :)

OK, maybe they don't use Snort - but the same problems of filter
expressiveness, whether/how to do a regexp, and so on, are faced by all IDS/IPS
systems.  If you need to do a regexp backref, it's going to either not be part
of the available toolset, or it's going to suck at line rate on high speed
interfaces.  Matching '\((134|934){3,5})\(foo|bar)(more ugly)(\1|\2)' is going
to suck whether it's Snort or silicon.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ