RE: New Trend: Intrusion Prevention

["Chris Eidem" <ceidem () Dexma com>]

> -----Original Message-----
> From: twig les [mailto:twigles () yahoo com]
> Sent: Friday, December 13, 2002 2:27 PM
> To: Ibarra, Michael; 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail)
> Subject: RE: [Snort-users] New Trend: Intrusion Prevention
>
>
> I've seen a few of these for a couple years now, but
> generally I run into the host-based ones.  Eeye makes
> one for that retarded MS web server here:
> http://www.eeye.com/html/Products/SecureIIS/index.html
>
> I believe it intercepts kernel calls and blocks/passes
> them, kinda playing middleman.  Not sure though. 
> Looks neat, but I don't see any silver bullet here
> either; not unless you want to slap this type of thing
> on your 500-5000 XP workstations too.

my retarded servers have enough trouble with their IIS miscommunicating
with the kernal as it is.  i really don't want add another layer that
could muck things up even more...

my basic thought is this (IPS - that is) is too dangerous right now for
this to be used in a production network.  the DOS potential against a
system is way too high and you would have to 10000 rules to make sure
that you have the right signature before you start blocking connections
accurately.

locking the doors and checking the windows is difficult enough without
having to go out onto the sidewalk and chase any 'shady' looking person
from your yard.

 - chris


-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users