[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6a5e46470910091016x39c03016w47ecea2aefd6942@mail.gmail.com>
Date: Fri, 9 Oct 2009 12:16:03 -0500
From: Rohit Patnaik <quanticle@...il.com>
To: srujan <srujan82@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: Attack pattern selection criteria for IPS
products
Why would Cisco, Juniper, etc. maintain the signature sets?
Presumably, each company maintains its own set of allow/deny rules.
--Rohit Patnaik
2009/10/9 srujan <srujan82@...il.com>:
> I agree with your word let "customer network admin selects it". But Tipping Point, Juniper, Cisco and Snort will have a wide range of customers, and maintaining different signature set for different Orgs is a big headache.
>
> All these guys are maintaining 95% to 99% detection coverage at NSS testing. That's why i asked about the selection criteria.
>
> On Fri, Oct 9, 2009 at 1:36 AM, <Valdis.Kletnieks@...edu> wrote:
>>
>> On Fri, 09 Oct 2009 00:47:24 +0530, srujan said:
>>
>> > What is the vulnerability selection criteria of Tipping Point, Juniper IPS
>> > products.
>> >
>> > Is it covering each and every CVE ID or is it selecting particular kind of
>> > attacks. If so what is selection criteria (cvss score or severity level or
>> > most publicly exploited)
>>
>> If the answer isn't "customer network admin selects it", the products are
>> broken and brain damaged. Different sites have different security stances,
>> and different opinions regarding the trade-off between the added security
>> benefit and the throughput and latency hits you take.
>>
>> Even within a site, the trade-offs may vary. I have some machines that
>> are actually air-gapped, some that are heavily firewalled, and some that
>> are lightly firewalled - and there's probably some Snort sensors and honeypots
>> too.. ;)
>>
>> If you're asking for "what pre-canned detection rules they come with", it's
>> probably "all the known vulns that we can figure out how to write a Snort
>> rule that doesn't suck resources". :)
>>
>> OK, maybe they don't use Snort - but the same problems of filter
>> expressiveness, whether/how to do a regexp, and so on, are faced by all IDS/IPS
>> systems. If you need to do a regexp backref, it's going to either not be part
>> of the available toolset, or it's going to suck at line rate on high speed
>> interfaces. Matching '\((134|934){3,5})\(foo|bar)(more ugly)(\1|\2)' is going
>> to suck whether it's Snort or silicon.
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists