[Snort-users] New Trend: Intrusion Prevention

Frank Knobbe fknobbe at ...652...
Sun Dec 15 19:17:04 EST 2002


On Sun, 2002-12-15 at 17:17, Kevin Black wrote:
> [...] Both Hogwash 
> and Guardian were referred to in this thread a few times 
> as IPS so it was fair of me to refer to them as well. [...]

hehe... yeah, so it was. Sorry, I should have harped on the others as
well. (My excuse is that Evolution 1.2 doesn't sort threads as well
anymore as 1.1.x did... :P)

> Any auto response is what I am talking about. Let me put 
> forth a few examples using Snort sigs since this is a 
> Snort mailing list:
> 
> - POP3 PASS overflow attempt  SID:1634 [...]
> - SMTP HELO overflow attempt  SID:1549 [...]
> The IPS if built into the firewall making decisions would 
> have blocked most if not all of your sites email until you 
> determined what the problem was.

I think here we think in black and white again. I know we're talking 0's
and 1's here, but an IPS does not have to fire on ALL signatures. And it
doesn't matter if we have a high or low rate of false positives. In
neither case should an IPS block on any signature. Instead, you should
be able to control which signature you can block. This is of course only
my personal wish list and I don't know if certain vendors care about it
or not. Most software that I've seen is flexible enough where the
decision which signature/rule/event should perform an action is left to
the admin to make.

> When I am talking about this I am not referring to a site 
> where the admin and the net engineer and the sec analyst 
> are the same person or sit next to each other. I am 
> talking more about the larger environments where they may 
> not even know each others faces. Companies like this are 
> the commercial target, not the small shops. [...]
> In your 
> IIS double decode example you need to be really careful. 
> What happens if the security analyst doesnt know that the 
> Web devs just added an "upload a picture" page? 

Yeah, you are correct. You typically have the router folks, which often
do firewalls, and then the IDS folks. I'm aware that they often don't
play nicely with each other. And I see the requirement of communication,
and the risk of communication breakdown which may result in network
breakdown.

Now that you mentioned it, I will be more careful in reading ads for
IPS's and pay attention to which camp they market to
(router/firewall/infrastructure or IDS/security). 

Personally I don't see those two camps merging. It will be interesting
to see how the IDS-firewall merger plays out in the political arena.

> I hate to get into specific examples. I was just stating 
> the case that *at this point and time* the technology is 
> young and is *not there yet*. It does not threaten IDS nor 
> does it threaten firewalls it is more of a *feature*. *At 
> this point and time* it is very necessary to be cautious 
> of the setup as it could waste many peoples time. 

hehe... I fully agree. 

Thanks for highlighting the political aspect of IPS. I was always
focused on the technology part (since I looked at it in a geeky sorta
way). But I never thought about how the device actually fit into the
organizational structure. In other postings I've seen we only touched
the technical aspect, never the human/political/culture aspect. Thank
again for emphasizing that.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 305 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021215/5055a660/attachment.sig>


More information about the Snort-users mailing list