On 10/01/2008, narccist tohell <[EMAIL PROTECTED]> wrote: > Thanks Jamie and Stefano for noticing my issues, > 90% of commercial database specific IDS/IPS systems do "signature > matching" exploit detection. They are stateless and mostly based on snort. > So does this mean that all they can do is stop public exploits. If someone > modifies the exploit then the signatures will fail and by that means the > appliances too ?
Hi there, The IDS is there to tell you you've been compromised and need to take action to sort it out. It doesn't in any way stop your database box being compromised. I used to look after a large-ish network of some 5K hosts and the thing that I noticed most often was outgoing portscans and IRC traffic from boxes which had been owned. If possible, I like to have the IDS run independently of the security arrangements for the actual hosts. I like to lock the network down so I'm pretty sure that the risk is low. Then I use IDS to make sure my confidence is not misplaced - as a sanity check if you like. Also, it is a great reassurance if other people are changing configs of your network. Metasploit v3 has pretty good IDS evasion code, especially for example to do with browser exploits embedded in HTTP. Doesn't matter too much, because most attackers, having owned a box will do very unstealthy things like scan a /8 looking for more boxes to compromise, or join an IRC channel. These secondary effects show up very well on snort with portscan logging. Your IDS has actually detected the intrusion, as it's meant to - although not as efficiently as it perhaps could have. As for securing a DB box, I'm not an expert and tend to use postgresql because I like it and it's free. I haven't played with IPS much either, so can't help there either. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
