Thank you to all who responded. I got many private email responses. I tried to put the summary here:
- NIPS products handle client side attacks related to protocols (HTTP, SMTP, NNTP etc.. ) - File content related attacks (Email attachments, HTTP response data, Java scripts, VB scripts etc.. ) are best detected and prevented by running client side security products and proxy based security solutions such as Anti-Virus, application firewalls etc.. - Many current generation NIPS products don't do any decompression and de-archiving. Hence can't do deep data attack analysis. - New generation of NIPS products are being developed to detect many of client side attacks. Current generation NIPS solutions do some job of detecting file content related attacks, but there could be many false positives and in some cases they don't even detect them. - One security solution can't protect all kinds of attacks and different products are needed for 'almost-complete' protection. Surya ----- Original Message ---- From: Surya Batchu <[EMAIL PROTECTED]> To: [email protected] Sent: Wednesday, March 14, 2007 11:07:13 PM Subject: 7-ZIP ARJ Archive Processing stack overflow - Is there any role for Network IPS? Hi, Please see this advisory: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3051 This attack can be launched remotely by sending specially crafted data in archived file. Which security solutions are expected to catch these kinds of attacks? It seems that NIPS/NIDS solution typically check for buffer overflow attacks at protocol level, but not at the file/archive level. If so, is it fair to assume that only security solutions running, on the client machine, catch these kjinds of attacks. Any insight is appreciated. Thanks Surya ____________________________________________________________________________________ It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ ____________________________________________________________________________________ Sucker-punch spam with award-winning protection. Try the free Yahoo! Mail Beta. http://advision.webevents.yahoo.com/mailbeta/features_spam.html ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
