Lennart, Can we please keep any discussion within the confines of impersonal and polite? Spirited and passionate is fine and often happens, but calling other peoples suggestions names and in general using the " if you were a real sysadmin, you would ______ ..." tone just gets people upset and stifles valuable input and feedback.
Thanks, Ross Sent from my Verizon Wireless BlackBerry -----Original Message----- From: [EMAIL PROTECTED] (Lennart Sorensen) Date: Mon, 28 Jul 2008 15:04:44 To: This is the lpi-examdev mailing list.<lpi-examdev@lpi.org> Subject: Re: [lpi-examdev] New question for LPIC-3 Exam 303 Security On Mon, Jul 28, 2008 at 02:50:02PM -0300, Rogerio Ferreira wrote: > I am new in the group. I would like to give a suggestion for exam 303: To > include one question about IPS (Intrusion Prevention System) HLBR (Hogwash > Light BR) in the exam. > > *About HLBR:* > > HLBR is a brazilian project, started in november 2005, as a fork of the > Hogwash project (started by Jason Larsen in 1996). This project is destined > to the security in computer networks. > > HLBR is an IPS (Intrusion Prevention System) that can filter packets > directly in the layer 2 of the OSI model (so the machine doesn't need even > an IP address). Detection of malicious/anomalous traffic is done by rules > based in signatures, and the user can add more rules. It is an efficient and > versatile IPS, and it can even be used as bridge to honeypots and honeynets. > Since it doesn't make use of the operating system's TCP/IP stack, it can be > "invisible" to network access and attackers. > http://hlbr.sourceforge.net/index.html.en > > Suggestion of question about HLBR: > > X) What this rule makes? > > <rule> > ip dst(www) > tcp dst(80) > tcp nocase(cmd.exe) > message=cmd.exe test > action=action1 > </rule> > > A) .... > B) .... > C) .... > D) .... Would my answer be considered correct? IPS is a load of shit that can't possibly work because it involves writing rules about what should and should not be permitted and if you were capable of writing those rules then you would be capable of preventing the intrussion in the first place. Hence IPS in general is pointless. Now the work going into analysing source code of programs to determine what is possible behavious (at least as far as system calls go) and killing a process when it makes system calls in an invalid order might actually provide some protection against exploitation, although it has a huge number of unfortunate limitations that makes it unusable so far. So forget IPS and go setup your firewall properly. -- Len Sorensen _______________________________________________ lpi-examdev mailing list lpi-examdev@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
_______________________________________________ lpi-examdev mailing list lpi-examdev@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
