Omar Herrera wrote: > The reason why white listing doesn't work is not because it is overly > complex but because it requires us to do things properly starting from > the way we do business and design our systems and applications. It does > take time and requires that we know our assets and business functions to > set permissions,.
IMHO here you're making a quite strong (and wrong) assumption: you assume that software will always work as you expect it to do. Should that be the case, you would be able to predict everything and the whitelist approach would work. Unfortunately, in 35 years of C programming, people haven't learnt yet how to avoid buffer overflows (this example applies to any other vulnerability you like). Yes, the whole intrusion detection (and prevention in particular) game is "just" a big attempt to "patch" bugged systems...clearly, this patching process cannot be perfect (and never will). Cheers -- Damiano Bolzoni [EMAIL PROTECTED] Homepage http://dies.ewi.utwente.nl/~bolzonid/ PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc Skype ID: [EMAIL PROTECTED] Distributed and Embedded Security Group - University of Twente P.O. Box 217 7500AE Enschede, The Netherlands Phone +31 53 4892477 Mobile +31 629 008724 ZILVERLING building, room 3013 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
