September 12, 2012

What the IPS Didn’t See

After seeing the Dark Reading article, What the IPS Saw, the question came up was, 'What Didn't the IPS See?' 


Why?  The billions upon billions of data points they collected contained one glaring gap:  the Web application attack vector (SQL Injection and Cross Site Scripting to name a few).  Since many security teams falsely believe that IPS can block or mitigate application attacks and IPS vendors increasingly claim application security features, understanding the gap is important.  

Fact:  Hackers love web applications and databases
In 2011, according to Verizon’s Data Breach Report (page 39), 83% of all data breached was from databases and 80% involved web application breaches.  In the case of hacktivism, our report, the Anatomy of an Anonymous attack, highlighted the paramount importance application attacks play in a hacker’s arsenal:


Analyzing hacker forum data (over a period of a year) helps us understand what interests “private” hackers.  Again, web attacks are the vector of choice:


It is easily recognizable that the largest vector of attack was in fact SQL Injection.

Bear in mind that the zero-day and shell code percentages also include XSS attempts to inject malicious code, which means even if the payload is shell code; the injection vector is a Web XSS.

Brute-Force will also be included in the Web Application Attack vector, as it will be mainly the attempt to break web logins by running dictionary attacks at them, via—surprise!—the Web.


Why don’t I see this information in IPS reports?
The answer is quite simple. The reason you can’t see this information in IPS reports, is because IPS can’t see it.

IPS technology is designed to follow patterns and to either match signatures against traffic, or understand structure of a flow.  For example, in an exploit that is known, the system will have an updated (or so you hope) dictionary of signatures that will match and the session will be dropped. And in other cases, IPS might work on thresholds for amounts of traffic, or what is “known to be good practice” threshold.

Tautology vs. Signatures
Let’s single out SQL Injection to make an important distinction. A SQL Injection utilizes a True statement, meaning a statement that the SQL Interpreter will analyze and will say “yes, this is valid, I will now analyze this”. Unfortunately for the world of IPS, there is no limit to True statements in the world.  For example:

  • a<>b
  • 1=1
  • 1=((2-1)*2/2)
  • date(today) != char(57)
  • JimmyPage > Life
  • The list goes on...

The point here is very simple … you can’t write a signature for unlimited amount of terms, and you can’t predict behavior of an application by analyzing traffic as a pattern, since every application is written differently, and every developer has his/her own quirks.

You don’t use an IPS for Web application security, like you don’t install an antivirus to protect yourself against spam.


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.