Re: Error trapping signatures ...

["Jon Baer" <security () jonbaer net>]

actually seems to be an old idea ...

http://www.phrack.org/phrack/56/p56-0x0b

its 3 years old but makes alot of good points ...

-snip-
An IDS which implements a strict anomaly detection model can never enter a
false-positive state, i.e. can never generate a false alarm, because
activity
which occurs outside the definition of "use", by definition, has security
relevance.
-snip-

i think it makes sense to wrap these type of sigs around apps like mysql for
example once its in production but does anyone here on the list actually
deploy these type of techniques w/ success?

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


----- Original Message ----- 
From: "Erek Adams" <erek () snort org>
To: "Jon Baer" <security () jonbaer net>>
> Basically, once you have a "known" network, it doesn't take much to get a
> set of rules when you see "something that shouldn't be happening".  A nice
> benefit of this is that once this is setup, any changes that are made to
> the network (rouge server) become pretty obvious.



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users