TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
> after ISS purchased NetworkIce, now the RS7.0 claims 1200+ signatures, you > know RS 6.5 used to be around 600+, and black ice used to be 600+, so now > it's 1200+, my question is: there's no overlap between these two products in > signature? The products had 50% overlap. Therefore, you should expect an increase to 900 rather than 1200. Another 100 came through simple expansion of existing signatures. Both RealSecure 6.5 and Network ICE followed a policy of grouping related signatures under a single attack. Thus, even though only a single "signature" appears to the outside world, is really often a couple of destinct checks. While we were in there mucking around, we split some of them out. For example, Network ICE had an "SNMP Corrupt" signature that checked 40 different things. However, many vendors have corrupt SNMP implementations -- and may therefore turn this off as a "false-positive". We split that signature into 40 different events, allowing customers to detect 38 possible attacks even when they need to filter out 2 events to compensate for bugs in their routers. In reality, no new security content was added -- the count just expanded. (We only expand such things when we need to; we still have a policy against needlessly expanding the signature count). The other 200 came from new content. ISS has had a long-standing desire to build certain signatures on top of a state-based, protocol-analysis engine -- things that can't be done with simple pattern match. The Network ICE engine allowed a lot of these signatures to be created that simply couldn't be created before. It is a clear example of "two-heads-better-than-one": Network ICE didn't have the security expertise, RealSecure didn't have the core engine. Thus, you get roughly 1200 events as the result. (Note, we haven't done exact study of where the signatures come from, the above is my own estimates). > another question is since now 7.0 is using both protocol analysis and pattern > matching, so if there's an attack, how the RS will decide to detect it via > protocol analysis or via pattern matching? The engineer writing the signature makes a decision about the best way to detect the attack, and writes a signature that best detects the attack. The choices are: * simple pattern-search * protocol validation * protocol anomaly detection * analysis of the protocol fields * analysis of the protocol state (correlating among packets, not just one) * using our hueristics engine * other For example, if a vulnerability is discovered in the "example.cgi" web-server CGI script, we will add a simple pattern to the list of URL patterns. However, if there is a buffer-overflow in the HTTP "Example" field, we'll likely measure the length of that field and trigger an event whenever it exceeds a threshold value. The first is pattern-match, the second is protocol-analysis. (Though even the first example is protocol-analysis to some extent with all the anti-evasion and URL decoding that takes place before a pattern-match, but you get the idea). Fundamentally, nothing in RealSecure does a "blind" pattern-match: protocol-analysis is always used somewhere. __________________________________________________ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute
