Snort mailing list archives
Re: tippingpoint]]
From: Geoff <gpoer () arizona edu>
Date: Fri, 17 Oct 2003 10:55:29 -0700
John seems little bitter :)
"..only implement signatures that have a VERY low rate of falsepositive.." Yeah. That's certainly no problem, whatsoever :-/
It really is not as impossible as you make it sound. Please don't confuse dropping well known exploits with analysis. That is what IDS is for. Looking for the strange traffic and correlating known patterns to new compromises will generate false positives... That's what makes IDS fun, the puzzle that is analyzing traffic. But I would NEVER drop the packets!!!
And what do you do about traffic that represents unknown exploits?
That is a whole other discussion but we can chalk it up to... IDS and IPS are a reactive devices.
For example: In our testing we dropped ICMP stacheldraht Agentto Server Hello packets. It is a very easy sig to spot. the word"skillz" inside an ICMP echo reply packet. Rarely are we going to see that one in the wild with Business critical traffic.Stacheldraht? You gotta be kidding. How old is that?
Old.... we had 3 machines on campus that had this tool on them. Sad isn't it. They were recent compromises the attackers just used an old tool. Goes to show that you can't through your old sigs away!
Again, what do you do about the exploits you **don't** know about?
Again....see above :)
Well, duh..
Well put
You seem very well prepared to protect yourself against the known...
We correlate SourcefireIDS alerts and CSIDS attacks with p0f data, netflow data and firewall logs in an effort to protect "against the known". But that is not what we use an IPS for. so duhh right back at you :) Geoff ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & ExpoThe Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tippingpoint]] Geoff (Oct 17)