[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Is Marty Lying?

To: "Gregory A. Gilliss" <ggilliss@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Is Marty Lying?
From: security snot <booger@xxxxxxxxxxxx>
Date: Mon, 22 Sep 2003 14:13:44 -0700 (PDT)

"Detect intrusions" - if you can set an IDS signature for something, then
you shouldn't be vulnerable to it.  So the functionality of IDS is to tell
you when you've been compromised by six-month old public vulnerabilities
that dvdman has finally gotten his hands on an exploit for, that you never
bothered to patch for?

Useless.

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------

On Mon, 22 Sep 2003, Gregory A. Gilliss wrote:

> Peter:
>
> Intrusion Detection systems are designed to detect intrusions. Period.
> No one AFAIK has yet developed the Intrusion Prediction system. If you
> have an alpha version lying around, pls respond with a link. I'm sure
> that you will quickly be deluged with download requests =;^)
>
> Reactive is the nature of the beast, a point that has been rehashed many
> many times here and elsewhere. No finite state machine can anticipate or
> detect the virus that I am right now writing, unless I foolishly make part
> of the binary match an existing sig. there will *always* be a latency
> between action and response. One of the things that people on this list
> do is attempt to assist each other in minimizing that latency.
>
> Now, if we could only get some of the vendors onboard >-)
>
> G
>
> On or about 2003.09.22 21:23:52 +0000, Peter Busser (peter@xxxxxxxxxxxxxxxxx) 
> said:
>
> > Hi!
> >
> > > > 3) Why the fuck do people still thing signature-based IDS is worthwhile?
> > > Give us another solution. Are you saying anomoly based ids signatures are
> > > _worthwhile_?
> >
> > The problem with IDS systems is the same problem that currently available
> > virus scanners have: They work reactive and not proactive.
> >
> > Making machines harder to break into and improve ways to enforce a security
> > policy (e.g. by using Mandatory Access Control (MAC)) would be one way to
> > proactively deal with security.
>
> --
> Gregory A. Gilliss, CISSP                             Telephone: 1 650 872 
> 2420
> Computer Engineering                                   E-mail: 
> greg@xxxxxxxxxxx
> Computer Security                                                ICQ: 
> 123710561
> Software Development                          WWW: 
> http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C 
> A3
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Is Marty Lying?
  - From: pdt
- Re: [Full-Disclosure] Is Marty Lying?
  - From: Florin Andrei
- Re: [Full-Disclosure] Is Marty Lying?
  - From: Paul Schmehl
- Re: [Full-Disclosure] Is Marty Lying?
  - From: Valdis . Kletnieks
- The usefullness of IDSes (Was: Re: [Full-Disclosure] Is Marty Lying?)
  - From: Peter Busser

References:
- [Full-Disclosure] Is Marty Lying?
  - From: security snot
- Re: [Full-Disclosure] Is Marty Lying?
  - From: daniel uriah clemens
- Re: [Full-Disclosure] Is Marty Lying?
  - From: Peter Busser
- Re: [Full-Disclosure] Is Marty Lying?
  - From: Gregory A. Gilliss

Prev by Date: RE: [Full-Disclosure] VeriSign's fake SMTP server for SiteFinder
Next by Date: Re: [Full-Disclosure] VeriSign's fake SMTP server for SiteFinder
Previous by thread: Re: [Full-Disclosure] Is Marty Lying?
Next by thread: Re: [Full-Disclosure] Is Marty Lying?
Index(es):
- Date
- Thread