On 16/03/2009 19.39, Paul Schmehl wrote:
Unless you can be more specific, I'm going to call your claim bogus. It is entirely possible to write one snort signature that will detect *every* instance of an attempt to overflow a buffer in a particular applicaiton no matter what the attack "signature" is. You just have to understand the snort logic and syntax and understand packet analysis well enough.
I don't see the words "buffer overflow" in my post, so maybe it's possible to write a signature to catch *any* instances exploiting a certain buffer overflow...but I'm more interested in the following. Can you write a *single* signature to detect this:
POST / HTTP/1.1 ... Content-Length: N (1000 <= N <= 204800) AAAAAAAAAAAAAAAAAAAA.... or BBBBBBBBBBBBBBBBBBBB.... or 11111111111111111111..... (N times the same byte value, and each request a different byte) I would be really thankful (and I'm not being sarcastic).
And yes, I know exactly which IDS you're referring to. They also claim to have the best vulnerability scanner on the market - one we found so useless we trashed it after spending ridiculous amounts of money and insance amounts of effort trying to get it to work. If that's any indication of how well their IDS works, I wouldn't give it the time of day, much less a fair evaluation.
I didn't say their IDS can detect any attack instances, and I didn't say it's the best out there. I'm not aware of the performance of their vulnerability scanner, and I would say that inferring the "quality" of an IDS from the quality of a VA tool is like comparing apples to oranges.
-- Damiano Bolzoni [email protected] Homepage http://dies.ewi.utwente.nl/~bolzonid/ PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc Skype ID: [email protected] Distributed and Embedded Security Group - University of Twente P.O. Box 217 7500AE Enschede, The Netherlands Phone +31 53 4892477 Mobile +31 629 008724 ZILVERLING building, room 3013
