|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Sniffing is not the easy answer, Kate.
From: Ron Gula (rgula
tenablesecurity.com)
Date: Tue Oct 11 2005 - 08:18:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I agree that there should be a forced honesty among sniffer vendors,
but sniffing some things is still much easier than coordinating logs
from multiple hosts (thousands of hosts) to one place. Host security
systems can be just as vulnerable to evasion in some cases too.
Ron Gula, CTO
Tenable Network Security
At 08:04 AM 10/11/2005, Dave Aitel wrote:
>I know I sound like Kate Moss here, but: Sniffing is not the easy answer.
>Making sniffing solutions is like betting that over the next decade or so,
>cpu*memory > bandwidth*protocol complexity. I just can't see that
>happening. It used to be plausible because there were a lot of shortcuts
>you could take - signatures, for example - that would help out. These
>days, everyone knows signatures are broken and you have to parse every
>protocol to do whatever it is you are trying to do. Of course it's
>possible you don't have all the information you need to do whatever it is
>you want to do: deep down, sniffing solutions are essentially a tax on
>network segmentation.
>
>One of the things I think that is going to change the balance of the
>equation is a forced honesty among sniffing solutions vendors. For
>example, CANVAS 7 is a Service Oriented Architecture. What this means to
>sniffing companies is that they never get to see the algorithm that
>generates our nops. Our shellcode polymorphism routines can remain hidden,
>and evolve over short periods of time, and still be used by a wide number
>of people.
>The internal algorithm that powers an exploit can remain unspoken - you
>send us the binary for su, we return you a root shell. It allows for
>coordination on a mass scale - if I've hacked 2^16 machines (or some
>smaller number of networks + spoofing), I can scan you on each port from a
>separate IP address.
>
>That's my thought for the day. Now I'm going to go teach class - I'm
>missing fabulous 8-bug Microsoft Christmas! This is the first Microsoft
>Christmas with a public BinNavi to help you produce quick repros
>(http://www.immunitysec.com/products-binnavi.shtml). :>
>
>-dave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]