On 09/01/2008, GMail <[EMAIL PROTECTED]> wrote: > focus-ids, > > How effective are signature based IDS/IPS systems on text based > protocols which involves grammar like PL/SQL. Using PL/SQL I can write same > query with different ways and different constructs that leads to different > query patterns. So does not that mean stateless signature based IDS/IPS > are useless for database servers, etc.
As you say, a Network IDS cannot do a good job of determining 'good' SQL from 'bad' SQL in the general case, but then it's not really designed to do that. In a typical situation, you would have your DB server firewalled off from all but a few hosts - typically your front-end servers. You make sure the front-end servers are using the least privileges possible to access the DB. Then you can create your IDS rules so that it alerts you to attempted accesses to the DB that don't fit in with your design. E.g. beware of large flows going from the DB server outside your company, connection attempts to the DB server from outside your company, lots of password guesses from the front-end servers to the DB server. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
