Re: [Snort-users] tippingpoint]

John Sage wrote:

> On Thu, Oct 16, 2003 at 07:48:41PM -0700, Geoff wrote:
>
>>Ok had to respond to this one :)
>
>
>>Implementation of an IPS requires that you only implement signatures that
>>have a VERY low rate of false positive or traffic that you just flat out
>> don't care if it gets dropped.
>
> "..only implement signatures that have a VERY low rate of false
> positive.."
>
> Yeah. That's certainly no problem, whatsoever :-/
>
> And what do you do about traffic that represents unknown exploits?\

What do YOU do about traffic that represents unknown exploits?

Some IDP devices have intelligence to detect violations
of protocol. For example, fields that are too large
that may indicate a generic buffer overflow attempt. Sure, some
misbehaving applications may trigger it but simple
monitoring before activating a filter will tell you that.

What do YOU do about traffic that represents unknown exploits?

A signature can be written to block packets that, for example,
indicate a web transaction offering a MIME type of application/hta
which may have been useful for blocking exploits of unpatched
Internet Explorer users. Note that it would block a set of generic
exploits of that type, not just a specific one.

Will it catch all? Of course not. What will? Will it block
wanted traffic? Not if you do your homework. You actually
have to make a decision about what is wanted, what is needed,
and what you're willing to pay in convenience and functionality
for security.

Signatures can be written to look for all types of behavior and
set up to log traffic on the network to determine their effect
before configuring them to block traffic.

Like many other security devices, these products depend upon
an intelligent implementer and operator. They're not for someone
who wants a black box, who doesn't know or care what type
of traffic is on their network, and is unable to analyze the
traffic and signatures to configure the box for their particular
circumstances.

If you're a manager that wants a security product that stops known
and unknown bad things, doesn't require any compromises, and doesn't
require trained staff, keep looking. Try Orlando or Anaheim.

> Again, what do you do about the exploits you **don't** know about?

Same thing firewalls, URLSCAN, email filters, and other security tools
do. Make a cost benefit decision about certain types of behavior that are
high risk and of little benefit and block them.

What do YOU do?

--
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe



-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise
Linux in the Boardroom; in the Front Office; & in the Server Room
http://www.enterpriselinuxforum.com
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users