[dundee] Meeting abstract for October 11th, hosted by Arron 'Finux'

Stuart McCulloch Anderson chairman at thesoftwaresociety.org.uk
Wed Oct 3 07:08:45 UTC 2012 

Good morning everyone,

Our next meeting is in just over a week, so start your watches.

Arron is giving us a IPS (Intrusion Prevention Systems) and the problems of false positives. I'll let him explain it better.

The meeting is at the new Burgh Coffee House at the later time of 19:00, I look forward to you all being there 


ABSTRACT BELLOW

Using False Positives to Enumerate Detection Systems

Network Intrusion Prevention Systems or NIPS have been plagued by “False 
Positive” issues almost since their first deployment. A “False Positive” 
could simply be described as incorrectly or mistakenly detecting a 
threat that is not real. A large amount of research has gone into using 
“False Positive” as an attack vector to either attack the very validity 
of an IPS system or to conduct forms of Denial of Service attacks. 
However the very reaction to a “False Positive” in the first place may 
very well reveal more detailed information about defences than you might 
well think.

This talk takes a looks at how its is possible to enumerating network 
defences such as an IPS by very simple and effective means. A detection 
system such as an IPS reacting to a set of conditions under the control 
of an attacker can very well allow them to know what defences they need 
to overcome to be successful. With a simple crafted email it is possible 
to tell that clamAV is running on a mail server, or a simple fake URL 
parameter could well inform you that SNORT is defending a web 
application. Armed with this type of information an attacker can plan 
their attack that utilise IPS evasion techniques.

All though this talk uses some very famous “Open Source” security 
application in its examples the methodology can easily be used to detect 
a whole host of commercial security products as well.
There is no hard and fast simple fix to the issues discussed in this 
talk, the aim is simple; to give the attendees the ability to spot and 
assess potential “reaction leakages” from a detection system. You can 
only really defend against what you can understand and with this 
information a more fitting solution can be sort.



Stay sane and remember, I like you cause you join in on my madness....

Stuart McCulloch Anderson
Chairman

The Software Society Limited
3 Ralston Business Centre,
Newtyle, Blairgowrie, Perthshire, PH12 8TL, SCOTLAND

Mobile: +44 (0) 7787 432 476

A Company Limited by Guarantee
Registered in Scotland, Company Number SC413286

More information about the dundee mailing list