OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: a novice question. -reply
From: Mark.Teicherpredictive.com
Date: Sat Mar 25 2000 - 12:16:19 CST

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
No that is not exactly true, most of the IDS systems have the commonly
known attack/vulnerability signatures. Each IDS vendor has their own
research and development team that scour the Internet for
vulnerabilities/exploits posted from all the usual places (i.e. CVE,
Security Focus, SANS, FIRST, CIAC, IRC#'s) and test whether the
vulnerability/attack signatures are actually worthwhile incorporating into
their product. Vulnerabilities/attack signatures are being introduced
almost on a hourly basis. Before you deploy a certain IDS system in your
environment, one should manually go through each signature and verify it's
helpfulness when creating your site's policy. If your environment is made
up of a mixed operating systems and platforms, some attack/vulnerabities
signatures may not apply.. Every IDS product I have seen have certain
+/-'s and the explanations may differ among each IDS system also.

If you have an operating system or an internet appliance that is not
listed with the particular IDS system, one still has to do some manual
checking, some fancy Access Control Lists to prevent systems from falling
over since a particular IDS may not be able to alert you in time.

Most of the IDS vendors have at least over 100+ signatures in their
product, some signatures are more detailed than others or are variants
from previously released attack signatures.

I am still waiting for IDS vendors to correct some of the incorrect
signatures that have been shipped with their product or update with recent
versions.
C'mon IDS vendors, there is no reason to check for HP Sendmail 5.65
anymore. HP stopped supporting this version in 1995..

hope this helps

/m

"RajKumar S." <raj2569yahoo.com>
Sent by: owner-idsuow.edu.au
03/24/00 09:03 PM

 
        To: idsuow.edu.au
        cc:
        Subject: IDS: a novice question.

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
hello all,

from all the mails i have been getting here i belive that all the IDS
products have all the available attack signatures. ie even if the network
that i use do not contain any solaris or NT my IDS s/w will check for all
the possible exploits that can be mounted against an nt or solaris.

now why is this necessary. since the performance of an IDS system can be
improved if the number of attack signature can be reduced.

one use of having all the attack sig is that it will be possible to log
all the possible attacks that are mounted against my network. but most of
the time they do not cause any harm, for eg if i am runnig a server v1.8
and it explicitly fixed a bug found in v1.7, am i required to have the
attack sig of the bug which was fixed. what use will that sig be to me

pl correct me if i got some ideas wrong

raj