[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8a6b8e350910111707l5661f0cbq308c41448d8b3caa@mail.gmail.com>
Date: Sun, 11 Oct 2009 20:07:41 -0400
From: James Matthews <nytrokiss@...il.com>
To: Rohit Patnaik <quanticle@...il.com>
Cc: Valdis.Kletnieks@...edu, full-disclosure@...ts.grok.org.uk,
srujan <srujan82@...il.com>
Subject: Re: Attack pattern selection criteria for IPS
products
Yes they do all look at the same common holes and flag them but as for
detection everyone has a different method.
On Fri, Oct 9, 2009 at 1:16 PM, Rohit Patnaik <quanticle@...il.com> wrote:
> Why would Cisco, Juniper, etc. maintain the signature sets?
> Presumably, each company maintains its own set of allow/deny rules.
>
> --Rohit Patnaik
>
> 2009/10/9 srujan <srujan82@...il.com>:
> > I agree with your word let "customer network admin selects it". But
> Tipping Point, Juniper, Cisco and Snort will have a wide range of customers,
> and maintaining different signature set for different Orgs is a big
> headache.
> >
> > All these guys are maintaining 95% to 99% detection coverage at NSS
> testing. That's why i asked about the selection criteria.
> >
> > On Fri, Oct 9, 2009 at 1:36 AM, <Valdis.Kletnieks@...edu> wrote:
> >>
> >> On Fri, 09 Oct 2009 00:47:24 +0530, srujan said:
> >>
> >> > What is the vulnerability selection criteria of Tipping Point, Juniper
> IPS
> >> > products.
> >> >
> >> > Is it covering each and every CVE ID or is it selecting particular
> kind of
> >> > attacks. If so what is selection criteria (cvss score or severity
> level or
> >> > most publicly exploited)
> >>
> >> If the answer isn't "customer network admin selects it", the products
> are
> >> broken and brain damaged. Different sites have different security
> stances,
> >> and different opinions regarding the trade-off between the added
> security
> >> benefit and the throughput and latency hits you take.
> >>
> >> Even within a site, the trade-offs may vary. I have some machines that
> >> are actually air-gapped, some that are heavily firewalled, and some that
> >> are lightly firewalled - and there's probably some Snort sensors and
> honeypots
> >> too.. ;)
> >>
> >> If you're asking for "what pre-canned detection rules they come with",
> it's
> >> probably "all the known vulns that we can figure out how to write a
> Snort
> >> rule that doesn't suck resources". :)
> >>
> >> OK, maybe they don't use Snort - but the same problems of filter
> >> expressiveness, whether/how to do a regexp, and so on, are faced by all
> IDS/IPS
> >> systems. If you need to do a regexp backref, it's going to either not
> be part
> >> of the available toolset, or it's going to suck at line rate on high
> speed
> >> interfaces. Matching '\((134|934){3,5})\(foo|bar)(more ugly)(\1|\2)' is
> going
> >> to suck whether it's Snort or silicon.
> >>
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
http://www.goldwatches.com
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists