Re: [Snort-users] tippingpoint]]
This is a discussion on Re: [Snort-users] tippingpoint]] within the Snort forums, part of the System Security and Security Related category; John seems little bitter :) > "..only implement signatures that have a VERY low rate of false > positive.." &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-17-2003
|
|||
|
|||
Re: [Snort-users] tippingpoint]]
John seems little bitter :)
> "..only implement signatures that have a VERY low rate of false > positive.." > Yeah. That's certainly no problem, whatsoever :-/ It really is not as impossible as you make it sound. Please don't confuse dropping well known exploits with analysis. That is what IDS is for. Looking for the strange traffic and correlating known patterns to new compromises will generate false positives... That's what makes IDS fun, the puzzle that is analyzing traffic. But I would NEVER drop the packets!!! > And what do you do about traffic that represents unknown exploits? That is a whole other discussion but we can chalk it up to... IDS and IPS are a reactive devices. >>For example: In our testing we dropped ICMP stacheldraht >>Agent >>to Server Hello packets. It is a very easy sig to spot. the word >>"skillz" inside an ICMP echo reply packet. Rarely are we going to see that >>one >>in the wild with Business critical traffic. > > > Stacheldraht? You gotta be kidding. How old is that? Old.... we had 3 machines on campus that had this tool on them. Sad isn't it. They were recent compromises the attackers just used an old tool. Goes to show that you can't through your old sigs away! > Again, what do you do about the exploits you **don't** know about? Again....see above :) > > Well, duh.. Well put > You seem very well prepared to protect yourself against the known... We correlate SourcefireIDS alerts and CSIDS attacks with p0f data, netflow data and firewall logs in an effort to protect "against the known". But that is not what we use an IPS for. so duhh right back at you :) Geoff ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
