![]() How susceptible is it to raising false-positive alerts? You may only get a generic "buffer-overflow attempt" type of error at first (many vendors will often follow up with a more exploit-specific signature at a later date for more accurate identification), but at least the attack is blocked immediately. This means that when a new variation of an old exploit is produced, the IPS device stands a good chance of being able to block it without a signature update. What we are looking for here is a product where the signatures are written to detect the underlying vulnerability rather than a specific exploit. How likely is it that variants of the same exploit or new exploits of the same vulnerability will be detected without a signature update? These anti-evasion techniques should always be enabled. This is often done purely for performance reasons or because the reassembly is suspect. Watch out for any product that comes with IP fragment reassembly or TCP segment reassembly disabled by default. There are a number of readily available evasion tools out there (fragroute, Whisker, etc.) and at the very least, any IPS should be able to handle them easily. How susceptible is it to common evasion techniques? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |