Ohh.. I just forgot to send you some intereting links: http://en.wikipedia.org/wiki/Intrusion_prevention_system http://en.wikipedia.org/wiki/Intrusion_detection_system http://en.wikipedia.org/wiki/Host-based_intrusion_detection_system http://en.wikipedia.org/wiki/Network_intrusion_detection_system
Just to educate you! 8) Nelson Brito Security Researcher http://fnstenv.blogspot.com/ Please, help me to develop the ENG® SQL Fingerprint™ downloading it from Google Code (http://code.google.com/p/mssqlfp/) or from Sourceforge (https://sourceforge.net/projects/mssqlfp/). Sent on an iPhone wireless device. Please, forgive any potential misspellings! On Jun 2, 2010, at 3:35 AM, "Cor Rosielle" <[email protected]> wrote: > I would say: an host IPS could be considered, even if there is a > network > IPS. If it is a wise decision to spent your money or use your > hardware for > this, depends from case to case. And I might even add: if someone > tells you > different, he must be selling something. > > Regards, > Cor > > >> -----Original Message----- >> From: [email protected] [mailto:full- >> [email protected]] On Behalf Of Srinivas Naik >> Sent: dinsdag 1 juni 2010 21:14 >> To: [email protected] >> Subject: [Full-disclosure] Full-disclosure] Why the IPS product >> designers >> >> Mr. Nelson has brought a good point, Host IPS should also be running >> even if >> there is Nework IPS. >> >> There are Client end Attacks which has got many Evasion techniques >> and >> almost the recent research presents us the proof of such Attacks. >> Apart these there exist other exploits/malware which cannot be >> detected >> over >> the network. >> >> Regards, >> Srinivas Naik (Certified Hacker and Forensic Investigator) >> IPS Evaluator >> http://groups.google.com/group/nforceit >> >> On Tue, Jun 1, 2010 at 9:16 PM, >> <[email protected]>wrote: >> >>> Send Full-Disclosure mailing list submissions to >>> [email protected] >>> >>> To subscribe or unsubscribe via the World Wide Web, visit >>> https://lists.grok.org.uk/mailman/listinfo/full-disclosure >>> or, via email, send a message with subject or body 'help' to >>> [email protected] >>> >>> You can reach the person managing the list at >>> [email protected] >>> >>> When replying, please edit your Subject line so it is more specific >>> than "Re: Contents of Full-Disclosure digest..." >>> >>> >>> Note to digest recipients - when replying to digest posts, please >> trim your >>> post appropriately. Thank you. >>> >>> >>> Today's Topics: >>> >>> 1. Re: Why the IPS product designers concentrate on server side >>> protection? why they are missing client protection (Nelson >> Brito) >>> 2. Re: Why the IPS product designers concentrate on server side >>> protection? why they are missing client protection >>> ([email protected]) >>> 3. DoS vulnerability in Internet Explorer (MustLive) >>> 4. Re: Why the IPS product designers concentrate on server side >>> protection? why they are missing client protection (rajendra >> prasad) >>> 5. Re: Why the IPS product designers concentrate on server >> side >>> protection? why they are missing client protection (Cor >> Rosielle) >>> 6. Re: Why the IPS product designers concentrate on server side >>> protection? why they are missing client protection (Nelson >> Brito) >>> 7. Re: Why the IPS product designers concentrate on server side >>> protection? why they are missing client protection (Nelson >> Brito) >>> 8. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie) >>> 9. Re: DoS vulnerability in Internet Explorer (Laurent Gaffie) >>> 10. Re: Why the IPS product designers concentrate on server side >>> protection? why they are missing client protection (Cor >> Rosielle) >>> 11. Re: DoS vulnerability in Internet Explorer (PsychoBilly) >>> 12. Re: Why the IPS product designers concentrate on server side >>> protection? why they are missing client protection (Nelson >> Brito) >>> 13. Onapsis Research Labs: Onapsis Bizploit - The opensource ERP >>> Penetration Testing framework (Onapsis Research Labs) >>> 14. Re: The_UT is repenting (T Biehn) >>> >>> >>> --- >>> ------------------------------------------------------------------ >> - >>> >>> Message: 1 >>> Date: Tue, 1 Jun 2010 08:50:05 -0300 >>> From: Nelson Brito <[email protected]> >>> Subject: Re: [Full-disclosure] Why the IPS product designers >>> concentrate on server side protection? why they are missing >> client >>> protection >>> To: rajendra prasad <[email protected]> >>> Cc: "[email protected]" >>> <[email protected]> >>> Message-ID: <[email protected]> >>> Content-Type: text/plain; charset=utf-8; format=flowed; >> delsp=yes >>> >>> You're missing one point: Host IPS MUST be deployed with any Network >>> Security (Firewalls os NIPSs). >>> >>> No security solution/technology is the miracle protection alone, so >>> that's the reason everybody is talking about defense in depth. >>> >>> Cheers. >>> >>> Nelson Brito >>> Security Researcher >>> http://fnstenv.blogspot.com/ >>> >>> Please, help me to develop the ENG? SQL Fingerprint? downloading it >>> from Google Code (http://code.google.com/p/mssqlfp/) or from >>> Sourceforge (https://sourceforge.net/projects/mssqlfp/). >>> >>> Sent on an ? iPhone wireless device. Please, forgive any potential >>> misspellings! >>> >>> On Jun 1, 2010, at 4:38 AM, rajendra prasad >>> <[email protected]> wrote: >>> >>>> Hi List, >>>> >>>> I am putting my thoughts on this, please share your thoughts, >>>> comments. >>>> >>>> Request length is less than the response length.So, processing >> small >>>> amount of data is better than of processing bulk data. Response may >>>> have encrypted data. Buffering all the client-server transactions >>>> and validating signatures on them is difficult. Even though >>>> buffered, client data may not be in the plain text. Embedding all >>>> the client encryption/decryption process on the fly is not >> possible, >>>> even though ips gathered key values of clients.Most of the client >>>> protection is done by anti-virus. So, concentrating client attacks >>>> at IPS level is not so needed. >>>> >>>> >>>> Thanks >>>> Rajendra >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> >>> ------------------------------ >>> >>> Message: 2 >>> Date: Tue, 01 Jun 2010 08:34:22 -0400 >>> From: [email protected] >>> Subject: Re: [Full-disclosure] Why the IPS product designers >>> concentrate on server side protection? why they are missing >> client >>> protection >>> To: rajendra prasad <[email protected]> >>> Cc: [email protected] >>> Message-ID: <14206.1275395...@localhost> >>> Content-Type: text/plain; charset="us-ascii" >>> >>> On Tue, 01 Jun 2010 13:08:32 +0530, rajendra prasad said: >>> >>>> Request length is less than the response length.So, processing >> small >>> amount >>>> of data is better than of processing bulk data. Response may have >>> encrypted >>>> data. Buffering all the client-server transactions and validating >>> signatures >>>> on them is difficult. >>> >>> All of that is total wanking. The *real* reason why IPS product >> designers >>> concentrate on servers is because hopefully the server end is run by >> some >>> experienced people with a clue, and maybe even hardened to last more >> than >>> 35 seconds when a hacker attacks. Meanwhile, if anybody designed an >> IPS >>> for >>> the client end, it would just get installed on an end-user PC >>> running >>> Windows, >>> where it will have all the issues and work just as well as any other >>> anti-malware software on an end-user PC. >>> >>> Oh - and there's also the little detail that a site is more likely >>> to >> buy >>> *one* software license to run on their web server (or whatever), >> rather >>> than >>> the hassle of buying and administering 10,000 end-user licenses. >>> Especially >>> when an IPS on the client end doesn't actually tell you much about >> attacks >>> against the valuable target (the server) from machines you haven't >>> installed >>> the end-user IPS on (like the entire rest of the Internet). >>> -------------- next part -------------- >>> A non-text attachment was scrubbed... >>> Name: not available >>> Type: application/pgp-signature >>> Size: 227 bytes >>> Desc: not available >>> Url : >>> http://lists.grok.org.uk/pipermail/full- >> disclosure/attachments/20100601/0896c76b/attachment-0001.bin >>> >>> ------------------------------ >>> >>> Message: 3 >>> Date: Tue, 1 Jun 2010 15:42:58 +0300 >>> From: "MustLive" <[email protected]> >>> Subject: [Full-disclosure] DoS vulnerability in Internet Explorer >>> To: <[email protected]> >>> Message-ID: <005e01cb0188$162059b0$01000...@ml> >>> Content-Type: text/plain; format=flowed; charset="windows-1251"; >>> reply-type=response >>> >>> Hello Full-Disclosure! >>> >>> I want to warn you about Denial of Service vulnerability in Internet >>> Explorer. Which I already disclosed at my site in 2008 (at >> 29.09.2008). But >>> recently I made new tests concerning this vulnerability, so I >>> decided >> to >>> remind you about it. >>> >>> I know this vulnerability for a long time - it's well-known DoS in >> IE. It >>> works in IE6 and after release of IE7 I hoped that Microsoft fixed >> this >>> hole >>> in seventh version of the browser. But as I tested at 29.09.2008, >>> IE7 >> was >>> also vulnerable to this attack. And as I tested recently, IE8 is >>> also >>> vulnerable to this attack. >>> >>> Also I informed Microsoft at 01.10.2008 about it, but they ignored >> and >>> didn't fix it. They didn't fix the hole not in IE6, nor in IE7, nor >> in IE8. >>> >>> That time I published about this vulnerability at SecurityVulns >>> (http://securityvulns.com/Udocument636.html). >>> >>> DoS: >>> >>> Vulnerability concerned with handling by browser of expression in >> styles, >>> which leads to blocking of work of IE. >>> >>> http://websecurity.com.ua/uploads/2008/IE%20DoS%20Exploit4.html >>> >>> Vulnerable versions are Internet Explorer 6 (6.0.2900.2180), >>> Internet >>> Explorer 7 (7.0.6000.16711), Internet Explorer 8 (8.0.7600.16385) >>> and >>> previous versions. >>> >>> To Susan Bradley from Bugtraq: >>> >>> This is one of those cases, which I told you before, when browser >> vendors >>> ignore to fix DoS holes in their browsers for many years. >>> >>> Best wishes & regards, >>> MustLive >>> Administrator of Websecurity web site >>> http://websecurity.com.ua >>> >>> >>> >>> ------------------------------ >>> >>> Message: 4 >>> Date: Tue, 1 Jun 2010 18:28:03 +0530 >>> From: rajendra prasad <[email protected]> >>> Subject: Re: [Full-disclosure] Why the IPS product designers >>> concentrate on server side protection? why they are missing >> client >>> protection >>> To: [email protected] >>> Message-ID: >>> <[email protected]> >>> Content-Type: text/plain; charset="iso-8859-1" >>> >>> Hi List, >>> >>> I have started this discussion with respect to Network IPS. >>> >>> Thanks >>> Rajendra >>> >>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad >>> <[email protected]>wrote: >>> >>>> Hi List, >>>> >>>> I am putting my thoughts on this, please share your thoughts, >> comments. >>>> >>>> Request length is less than the response length.So, processing >> small >>> amount >>>> of data is better than of processing bulk data. Response may have >>> encrypted >>>> data. Buffering all the client-server transactions and validating >>> signatures >>>> on them is difficult. Even though buffered, client data may not be >> in the >>>> plain text. Embedding all the client encryption/decryption process >> on the >>>> fly is not possible, even though ips gathered key values of >> clients.Most >>> of >>>> the client protection is done by anti-virus. So, concentrating >> client >>>> attacks at IPS level is not so needed. >>>> >>>> >>>> Thanks >>>> Rajendra >>>> >>>> >>>> >>> -------------- next part -------------- >>> An HTML attachment was scrubbed... >>> URL: >>> http://lists.grok.org.uk/pipermail/full- >> disclosure/attachments/20100601/0cb18940/attachment-0001.html >>> >>> ------------------------------ >>> >>> Message: 5 >>> Date: Tue, 1 Jun 2010 14:52:51 +0200 >>> From: "Cor Rosielle" <[email protected]> >>> Subject: Re: [Full-disclosure] Why the IPS product designers >>> concentrate on server side protection? why they are >> missing >>> client >>> protection >>> To: "'Nelson Brito'" <[email protected]> >>> Cc: [email protected] >>> Message-ID: <003001cb0189$5962ddf0$0c2899...@com> >>> Content-Type: text/plain; charset="UTF-8" >>> >>> Nelson, >>> >>>> You're missing one point: Host IPS MUST be deployed with any >> Network >>>> Security (Firewalls os NIPSs). >>> Please be aware this is a risk decision and not a fact. I don't use >> an host >>> IPS and no anti Virus either. Still I'm sure my laptop is perfectly >> safe. >>> This is because I do critical thinking about security measures and >> don't >>> copy behavior of others (who often don't think for themselves and >> just >>> copies other peoples behavior). Please note I'm not saying you're >>> not >>> thinking. If you did some critical thinking and an host IPS is a >>> good >>> solution for you, then that's OK> It just doesn't mean it is a good >> solution >>> for everybody else and everybody MUST deploy an host IPS. >>> >>>> No security solution/technology is the miracle protection alone, >>> That's true. >>> >>>> so that's the reason everybody is talking about defense in depth. >>> Defense in depth is often used for another line of a similar defense >>> mechanism as the previous already was. Different layers of defense >> works >>> best if the defense mechanism differ. So if you're using anti virus >> software >>> (which gives you an authentication control and an alarm control >> according to >>> the OSSTMM), then an host IDS is not the best additional security >> measure >>> (because this also gives you an authentication and an alarm >>> control). >>> This would also be a risk decision, but based on facts and the rules >>> defined in the OSSTMM and not based on some marketing material. You >> should >>> give it a try. >>> >>> Regards, >>> Cor Rosielle >>> >>> w: www.lab106.com >>> >>> >>> >>> ------------------------------ >>> >>> Message: 6 >>> Date: Tue, 1 Jun 2010 10:27:48 -0300 >>> From: Nelson Brito <[email protected]> >>> Subject: Re: [Full-disclosure] Why the IPS product designers >>> concentrate on server side protection? why they are missing >> client >>> protection >>> To: rajendra prasad <[email protected]> >>> Cc: "[email protected]" >>> <[email protected]> >>> Message-ID: <[email protected]> >>> Content-Type: text/plain; charset="utf-8" >>> >>> Okay, but why did you mention AV as a client-side protection? >>> >>> It leads to a discussion about client-side protection, anyways. >>> >>> Cheers. >>> >>> Nelson Brito >>> Security Researcher >>> http://fnstenv.blogspot.com/ >>> >>> Please, help me to develop the ENG? SQL Fingerprint? downloading it >>> from Google Code (http://code.google.com/p/mssqlfp/) or from >>> Sourceforge (https://sourceforge.net/projects/mssqlfp/). >>> >>> Sent on an ? iPhone wireless device. Please, forgive any potential >>> misspellings! >>> >>> On Jun 1, 2010, at 9:58 AM, rajendra prasad >>> <[email protected]> wrote: >>> >>>> Hi List, >>>> >>>> I have started this discussion with respect to Network IPS. >>>> >>>> Thanks >>>> Rajendra >>>> >>>> On Tue, Jun 1, 2010 at 1:08 PM, rajendra prasad < >>> [email protected] >>>>> wrote: >>>> Hi List, >>>> >>>> I am putting my thoughts on this, please share your thoughts, >>>> comments. >>>> >>>> Request length is less than the response length.So, processing >> small >>>> amount of data is better than of processing bulk data. Response may >>>> have encrypted data. Buffering all the client-server transactions >>>> and validating signatures on them is difficult. Even though >>>> buffered, client data may not be in the plai _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
