Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tippingpoint]]

From: Geoff <gpoer () arizona edu>
Date: Fri, 17 Oct 2003 10:55:29 -0700
John seems little bitter :)


"..only implement signatures that have a VERY low rate of false
positive.." Yeah. That's certainly no problem, whatsoever :-/ 

It really is not as impossible as you make it sound. Please don't confuse
dropping well known exploits with analysis. That is what IDS is for. Looking for
the strange traffic and correlating known patterns to new compromises will
generate false positives... That's what makes IDS fun, the puzzle that is
analyzing traffic. But I would NEVER drop the packets!!!



And what do you do about traffic that represents unknown exploits?


That is a whole other discussion but we can chalk it up to... IDS and IPS are a
reactive devices.
For example: In our testing we dropped ICMP stacheldraht Agent 
to Server Hello packets. It is a very easy sig to spot. the word
"skillz" inside an ICMP echo reply packet. Rarely are we going to see that one in the wild with Business critical traffic. 


Stacheldraht? You gotta be kidding. How old is that?


Old.... we had 3 machines on campus that had this tool on them. Sad isn't it.
They were recent compromises the attackers just used an old tool. Goes to show
that you can't through your old sigs away!


Again, what do you do about the exploits you **don't** know about?


Again....see above :)



Well, duh..


Well put


You seem very well prepared to protect yourself against the known...


We correlate SourcefireIDS alerts and CSIDS attacks with p0f data, netflow data
and firewall logs in an effort to protect "against the known". But that is not
what we use an IPS for.

so duhh right back at you :)

Geoff





-------------------------------------------------------
This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo
The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: