Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Vern Paxson <vern () ee lbl gov>
Date: Fri, 20 Feb 1998 23:38:17 PST
Does anybody have stats on how often TCP packets just barely make it to the destination?
Lessee:
tcpdump 'ip[8:1] < 4 and tcp and not port bgp'
Running this on our border DMZ at 11PM on a Friday night (yeah, I know,
don't I have anything better to do? :-) turns up a TCP packet with a TTL
of 1, 2 or 3 on average once every 8 seconds.
From my experiences with running Bro for close to two years now, I'd say
that false alarms are a *major* headache. They suck up a lot of energy
figuring out whether they're actually something to worry about; or you get
blase', and now you're vulnerable ...
Vern
Current thread:
- RE: Important Comments re: INtrusion Detection, (continued)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
- Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 20)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Vern Paxson (Feb 21)