Snort mailing list archives
Re: tippingpoint]
From: John Sage <jsage () finchhaven com>
Date: Thu, 16 Oct 2003 23:52:38 -0700
On Thu, Oct 16, 2003 at 07:48:41PM -0700, Geoff wrote:
Ok had to respond to this one :)
/* snip */
Implementation of an IPS requires that you only implement signatures that have a VERY low rate of false positive or traffic that you just flat out don't care if it gets dropped.
"..only implement signatures that have a VERY low rate of false positive.." Yeah. That's certainly no problem, whatsoever :-/ And what do you do about traffic that represents unknown exploits?
For example: In our testing we dropped ICMP stacheldraht Agent to Server Hello packets. It is a very easy sig to spot. the word "skillz" inside an ICMP echo reply packet. Rarely are we going to see that one in the wild with Business critical traffic.
Stacheldraht? You gotta be kidding. How old is that? Again, what do you do about the exploits you **don't** know about?
We also dropped ICMP Welchia packets, they consist of an echo request with 64 A's. A well known false positive for that signature is the Yahoo keep alive packets for Instant Messenger. We made the decision that we simply do not care about that traffic.
Well, duh.. You seem very well prepared to protect yourself against the known... - John -- "Most people don't type their own logfiles; but, what do I care?" - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. SourceForge.net hosts over 70,000 Open Source Projects. See the people who have HELPED US provide better services: Click here: http://sourceforge.net/supporters.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tippingpoint] Geoff (Oct 16)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Frank Knobbe (Oct 17)
- Re: tippingpoint] Gary Flynn (Oct 17)
- Message not available
- Re: tippingpoint] John Sage (Oct 19)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Michael Sierchio (Oct 17)
- Re: tippingpoint] Geoff (Oct 17)
- <Possible follow-ups>
- FW: tippingpoint] Geoff Poer (Oct 20)