id and I were talking today about some of the tests he is performing for some software he is helping to test. Amongst some of the tests he was in charge of some of it required forcing the IDS to alert on some of the vulnerabilities he was performing. You’d think it would be an easy thing to do. He took some of my successful hack attempts as well as some of his probing attacks and still was unsuccessful in creating an event that the server could pick up.
I had sort of thought the network security world had made the attack signatures a commodity. However in hearing his story, after 72 hours of testing he was only able to get his client’s IDS to alert after knowing the exact server signature that would alert and modifying his attack specifically to be detected. Ouch. How can companies feel secure without being able to see these very obvious recon techniques. We aren’t talking about anything more complex than a nmap scan, but still, they are unable to properly assess the attack in question.
Kinda makes me wonder about the state of network security when default IDSs aren’t able to detect or properly classify the most obvious attacks. Maybe it’s time to revisit what people are looking at and reporting on.