lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <7A43E13C-7E64-4EAC-B7C6-6F791FFA7F89@sekure.org>
Date: Wed, 2 Jun 2010 11:12:48 -0300
From: Nelson Brito <nbrito@...ure.org>
To: Cor Rosielle <cor@...post24.com>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>,
	Srinivas Naik <naik.srinu@...il.com>
Subject: Re: Full-disclosure] Why the IPS product designers

Ohh.. I just forgot to send you some intereting links:
http://en.wikipedia.org/wiki/Intrusion_prevention_system
http://en.wikipedia.org/wiki/Intrusion_detection_system
http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system
http://en.wikipedia.org/wiki/Network_intrusion_detection_system

Just to educate you! 8)

Nelson Brito
Security Researcher
http://fnstenv.blogspot.com/

Please, help me to develop the ENG® SQL Fingerprint™ downloading it  
from Google Code (http://code.google.com/p/mssqlfp/) or from  
Sourceforge (https://sourceforge.net/projects/mssqlfp/).

Sent on an  iPhone wireless device. Please, forgive any potential  
misspellings!

On Jun 2, 2010, at 3:35 AM, "Cor Rosielle" <cor@...post24.com> wrote:

> I would say: an host IPS could be considered, even if there is a  
> network
> IPS. If it is a wise decision to spent your money or use your  
> hardware for
> this, depends from case to case. And I might even add: if someone  
> tells you
> different, he must be selling something.
>
> Regards,
> Cor
>
>
>> -----Original Message-----
>> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
>> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Srinivas Naik
>> Sent: dinsdag 1 juni 2010 21:14
>> To: full-disclosure@...ts.grok.org.uk
>> Subject: [Full-disclosure] Full-disclosure] Why the IPS product
>> designers
>>
>> Mr. Nelson has brought a good point, Host IPS should also be running
>> even if
>> there is Nework IPS.
>>
>> There are Client end Attacks which has got many Evasion techniques  
>> and
>> almost the recent research presents us the proof of such Attacks.
>> Apart these there exist other exploits/malware which cannot be  
>> detected
>> over
>> the network.
>>
>> Regards,
>> Srinivas Naik (Certified Hacker and Forensic Investigator)
>> IPS Evaluator
>> http://groups.google.com/group/nforceit
>>
>> On Tue, Jun 1, 2010 at 9:16 PM,
>> <full-disclosure-request@...ts.grok.org.uk>wrote:
>>
>>> Send Full-Disclosure mailing list submissions to
>>>       full-disclosure@...ts.grok.org.uk
>>>
>>> To subscribe or unsubscribe via the World Wide Web, visit
>>>       https://lists.grok.org.uk/mailman/listinfo/full-disclosure
>>> or, via email, send a message with subject or body 'help' to
>>>       full-disclosure-request@...ts.grok.org.uk
>>>
>>> You can reach the person managing the list at
>>>       full-disclosure-owner@...ts.grok.org.uk
>>>
>>> When replying, please edit your Subject line so it is more specific
>>> than "Re: Contents of Full-Disclosure digest..."
>>>
>>>
>>> Note to digest recipients - when replying to digest posts, please
>> trim your
>>> post appropriately. Thank you.
>>>
>>>
>>> Today's Topics:
>>>
>>>  1. Re: Why the IPS product designers concentrate on  server side
>>>     protection? why they are missing client protection (Nelson
>> Brito)
>>>  2. Re: Why the IPS product designers concentrate on  server side
>>>     protection? why they are missing client protection
>>>     (Valdis.Kletnieks@...edu)
>>>  3. DoS vulnerability in Internet Explorer (MustLive)
>>>  4. Re: Why the IPS product designers concentrate on  server side
>>>     protection? why they are missing client protection (rajendra
>> prasad)
>>>  5. Re: Why the IPS product designers concentrate     on      server
>> side
>>>     protection? why they are missing client protection (Cor
>> Rosielle)
>>>  6. Re: Why the IPS product designers concentrate on  server side
>>>     protection? why they are missing client protection (Nelson
>> Brito)
>>>  7. Re: Why the IPS product designers concentrate on  server side
>>>     protection? why they are missing client protection (Nelson
>> Brito)
>>>  8. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
>>>  9. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie)
>>> 10. Re: Why the IPS product designers concentrate on  server side
>>>     protection? why they are missing client protection (Cor
>> Rosielle)
>>> 11. Re: DoS vulnerability in Internet Explorer (PsychoBilly)
>>> 12. Re: Why the IPS product designers concentrate on  server side
>>>     protection? why they are missing client protection (Nelson
>> Brito)
>>> 13. Onapsis Research Labs: Onapsis Bizploit - The opensource ERP
>>>     Penetration Testing framework (Onapsis Research Labs)
>>> 14. Re: The_UT is repenting (T Biehn)
>>>
>>>
>>> --- 
>>> ------------------------------------------------------------------
>> -
>>>
>>> Message: 1
>>> Date: Tue, 1 Jun 2010 08:50:05 -0300
>>> From: Nelson Brito <nbrito@...ure.org>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>       concentrate on  server side protection? why they are missing
>> client
>>>       protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: "full-disclosure@...ts.grok.org.uk"
>>>       <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <E01DF83F-4EB0-4212-8866-76DDB5C3B55B@...ure.org>
>>> Content-Type: text/plain;       charset=utf-8;  format=flowed;
>> delsp=yes
>>>
>>> You're missing one point: Host IPS MUST be deployed with any Network
>>> Security (Firewalls os NIPSs).
>>>
>>> No security solution/technology is the miracle protection alone, so
>>> that's the reason everybody is talking about defense in depth.
>>>
>>> Cheers.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Please, help me to develop the ENG? SQL Fingerprint? downloading it
>>> from Google Code (http://code.google.com/p/mssqlfp/) or from
>>> Sourceforge (https://sourceforge.net/projects/mssqlfp/).
>>>
>>> Sent on an ? iPhone wireless device. Please, forgive any potential
>>> misspellings!
>>>
>>> On Jun 1, 2010, at 4:38 AM, rajendra prasad
>>> <rajendra.palnaty@...il.com> wrote:
>>>
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>>>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>>> amount of data is better than of processing bulk data. Response may
>>>> have encrypted data. Buffering all the client-server transactions
>>>> and validating signatures on them is difficult. Even though
>>>> buffered, client data may not be in the plain text. Embedding all
>>>> the client encryption/decryption process on the fly is not
>> possible,
>>>> even though ips gathered key values of clients.Most of the client
>>>> protection is done by anti-virus. So, concentrating client attacks
>>>> at IPS level is not so needed.
>>>>
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 2
>>> Date: Tue, 01 Jun 2010 08:34:22 -0400
>>> From: Valdis.Kletnieks@...edu
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>       concentrate on  server side protection? why they are missing
>> client
>>>       protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: full-disclosure@...ts.grok.org.uk
>>> Message-ID: <14206.1275395662@...alhost>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> On Tue, 01 Jun 2010 13:08:32 +0530, rajendra prasad said:
>>>
>>>> Request length is less than the response length.So, processing
>> small
>>> amount
>>>> of data is better than of processing bulk data. Response may have
>>> encrypted
>>>> data. Buffering all the client-server transactions and validating
>>> signatures
>>>> on them is difficult.
>>>
>>> All of that is total wanking.  The *real* reason why IPS product
>> designers
>>> concentrate on servers is because hopefully the server end is run by
>> some
>>> experienced people with a clue, and maybe even hardened to last more
>> than
>>> 35 seconds when a hacker attacks.  Meanwhile, if anybody designed an
>> IPS
>>> for
>>> the client end, it would just get installed on an end-user PC  
>>> running
>>> Windows,
>>> where it will have all the issues and work just as well as any other
>>> anti-malware software on an end-user PC.
>>>
>>> Oh - and there's also the little detail that a site is more likely  
>>> to
>> buy
>>> *one* software license to run on their web server (or whatever),
>> rather
>>> than
>>> the hassle of buying and administering 10,000 end-user licenses.
>>> Especially
>>> when an IPS on the client end doesn't actually tell you much about
>> attacks
>>> against the valuable target (the server) from machines you haven't
>>> installed
>>> the end-user IPS on (like the entire rest of the Internet).
>>> -------------- next part --------------
>>> A non-text attachment was scrubbed...
>>> Name: not available
>>> Type: application/pgp-signature
>>> Size: 227 bytes
>>> Desc: not available
>>> Url :
>>> http://lists.grok.org.uk/pipermail/full-
>> disclosure/attachments/20100601/0896c76b/attachment-0001.bin
>>>
>>> ------------------------------
>>>
>>> Message: 3
>>> Date: Tue, 1 Jun 2010 15:42:58 +0300
>>> From: "MustLive" <mustlive@...security.com.ua>
>>> Subject: [Full-disclosure] DoS vulnerability in Internet Explorer
>>> To: <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <005e01cb0188$162059b0$010000c0@ml>
>>> Content-Type: text/plain; format=flowed; charset="windows-1251";
>>>       reply-type=response
>>>
>>> Hello Full-Disclosure!
>>>
>>> I want to warn you about Denial of Service vulnerability in Internet
>>> Explorer. Which I already disclosed at my site in 2008 (at
>> 29.09.2008). But
>>> recently I made new tests concerning this vulnerability, so I  
>>> decided
>> to
>>> remind you about it.
>>>
>>> I know this vulnerability for a long time - it's well-known DoS in
>> IE. It
>>> works in IE6 and after release of IE7 I hoped that Microsoft fixed
>> this
>>> hole
>>> in seventh version of the browser. But as I tested at 29.09.2008,  
>>> IE7
>> was
>>> also vulnerable to this attack. And as I tested recently, IE8 is  
>>> also
>>> vulnerable to this attack.
>>>
>>> Also I informed Microsoft at 01.10.2008 about it, but they ignored
>> and
>>> didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor
>> in IE8.
>>>
>>> That time I published about this vulnerability at SecurityVulns
>>> (http://securityvulns.com/Udocument636.html).
>>>
>>> DoS:
>>>
>>> Vulnerability concerned with handling by browser of expression in
>> styles,
>>> which leads to blocking of work of IE.
>>>
>>> http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html
>>>
>>> Vulnerable versions are Internet Explorer 6 (6.0.2900.2180),  
>>> Internet
>>> Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385)  
>>> and
>>> previous versions.
>>>
>>> To Susan Bradley from Bugtraq:
>>>
>>> This is one of those cases, which I told you before, when browser
>> vendors
>>> ignore to fix DoS holes in their browsers for many years.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 4
>>> Date: Tue, 1 Jun 2010 18:28:03 +0530
>>> From: rajendra prasad <rajendra.palnaty@...il.com>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>       concentrate on  server side protection? why they are missing
>> client
>>>       protection
>>> To: full-disclosure@...ts.grok.org.uk
>>> Message-ID:
>>>       <AANLkTinFeCKoKUNI59k2citWgTJlytqjRiZ8Ze8oM1rp@...l.gmail.com>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Hi List,
>>>
>>> I have started this discussion with respect to Network IPS.
>>>
>>> Thanks
>>> Rajendra
>>>
>>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad
>>> <rajendra.palnaty@...il.com>wrote:
>>>
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>> amount
>>>> of data is better than of processing bulk data. Response may have
>>> encrypted
>>>> data. Buffering all the client-server transactions and validating
>>> signatures
>>>> on them is difficult. Even though buffered, client data may not be
>> in the
>>>> plain text. Embedding all the client encryption/decryption process
>> on the
>>>> fly is not possible, even though ips gathered key values of
>> clients.Most
>>> of
>>>> the client protection is done by anti-virus. So, concentrating
>> client
>>>> attacks at IPS level is not so needed.
>>>>
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>>
>>>>
>>> -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:
>>> http://lists.grok.org.uk/pipermail/full-
>> disclosure/attachments/20100601/0cb18940/attachment-0001.html
>>>
>>> ------------------------------
>>>
>>> Message: 5
>>> Date: Tue, 1 Jun 2010 14:52:51 +0200
>>> From: "Cor Rosielle" <cor@...post24.com>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>       concentrate     on      server side protection? why they are
>> missing
>>> client
>>>       protection
>>> To: "'Nelson Brito'" <nbrito@...ure.org>
>>> Cc: full-disclosure@...ts.grok.org.uk
>>> Message-ID: <003001cb0189$5962ddf0$0c2899d0$@com>
>>> Content-Type: text/plain;       charset="UTF-8"
>>>
>>> Nelson,
>>>
>>>> You're missing one point: Host IPS MUST be deployed with any
>> Network
>>>> Security (Firewalls os NIPSs).
>>> Please be aware this is a risk decision and not a fact. I don't use
>> an host
>>> IPS and no anti Virus either. Still I'm sure my laptop is perfectly
>> safe.
>>> This is because I do critical thinking about security measures and
>> don't
>>> copy behavior of others (who often don't think for themselves and
>> just
>>> copies other peoples behavior). Please note I'm not saying you're  
>>> not
>>> thinking. If you did some critical thinking and an host IPS is a  
>>> good
>>> solution for you, then that's OK> It just doesn't mean it is a good
>> solution
>>> for everybody else and everybody MUST deploy an host IPS.
>>>
>>>> No security solution/technology is the miracle protection alone,
>>> That's true.
>>>
>>>> so that's the reason everybody is talking about defense in depth.
>>> Defense in depth is often used for another line of a similar defense
>>> mechanism as the previous already was. Different layers of defense
>> works
>>> best if the defense mechanism differ. So if you're using anti virus
>> software
>>> (which gives you an authentication control and an alarm control
>> according to
>>> the OSSTMM), then an host IDS is not the best additional security
>> measure
>>> (because this also gives you an authentication and an alarm  
>>> control).
>>> This would also be a risk decision, but based on facts and the rules
>>> defined in the OSSTMM and not based on some marketing material. You
>> should
>>> give it a try.
>>>
>>> Regards,
>>> Cor Rosielle
>>>
>>> w: www.lab106.com
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> Message: 6
>>> Date: Tue, 1 Jun 2010 10:27:48 -0300
>>> From: Nelson Brito <nbrito@...ure.org>
>>> Subject: Re: [Full-disclosure] Why the IPS product designers
>>>       concentrate on  server side protection? why they are missing
>> client
>>>       protection
>>> To: rajendra prasad <rajendra.palnaty@...il.com>
>>> Cc: "full-disclosure@...ts.grok.org.uk"
>>>       <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <76444513-375E-472C-A3CA-8F4A9776EDD4@...ure.org>
>>> Content-Type: text/plain; charset="utf-8"
>>>
>>> Okay, but why did you mention AV as a client-side protection?
>>>
>>> It leads to a discussion about client-side protection, anyways.
>>>
>>> Cheers.
>>>
>>> Nelson Brito
>>> Security Researcher
>>> http://fnstenv.blogspot.com/
>>>
>>> Please, help me to develop the ENG? SQL Fingerprint? downloading it
>>> from Google Code (http://code.google.com/p/mssqlfp/) or from
>>> Sourceforge (https://sourceforge.net/projects/mssqlfp/).
>>>
>>> Sent on an ? iPhone wireless device. Please, forgive any potential
>>> misspellings!
>>>
>>> On Jun 1, 2010, at 9:58 AM, rajendra prasad
>>> <rajendra.palnaty@...il.com> wrote:
>>>
>>>> Hi List,
>>>>
>>>> I have started this discussion with respect to Network IPS.
>>>>
>>>> Thanks
>>>> Rajendra
>>>>
>>>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad <
>>> rajendra.palnaty@...il.com
>>>>> wrote:
>>>> Hi List,
>>>>
>>>> I am putting my thoughts on this, please share your thoughts,
>>>> comments.
>>>>
>>>> Request length is less than the response length.So, processing
>> small
>>>> amount of data is better than of processing bulk data. Response may
>>>> have encrypted data. Buffering all the client-server transactions
>>>> and validating signatures on them is difficult. Even though
>>>> buffered, client data may not be in the plai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ