Snort mailing list archives
Re: Error trapping signatures ...
From: "Jon Baer" <security () jonbaer net>
Date: Sun, 22 Jun 2003 11:13:15 -0700
actually seems to be an old idea ... http://www.phrack.org/phrack/56/p56-0x0b its 3 years old but makes alot of good points ... -snip- An IDS which implements a strict anomaly detection model can never enter a false-positive state, i.e. can never generate a false alarm, because activity which occurs outside the definition of "use", by definition, has security relevance. -snip- i think it makes sense to wrap these type of sigs around apps like mysql for example once its in production but does anyone here on the list actually deploy these type of techniques w/ success? - jon pgp key: http://www.jonbaer.net/jonbaer.asc fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47 ----- Original Message ----- From: "Erek Adams" <erek () snort org> To: "Jon Baer" <security () jonbaer net>>
Basically, once you have a "known" network, it doesn't take much to get a set of rules when you see "something that shouldn't be happening". A nice benefit of this is that once this is setup, any changes that are made to the network (rouge server) become pretty obvious.
------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Error trapping signatures ... Jon Baer (Jun 21)
- Re: Error trapping signatures ... Erek Adams (Jun 22)
- Re: Error trapping signatures ... Jon Baer (Jun 22)
- Re: Error trapping signatures ... Erek Adams (Jun 22)