Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Prevention Firewall

From: Crispin Cowan <crispin () wirex com>
Date: Fri, 05 Apr 2002 00:14:30 -0800
Vern Paxson wrote:
Is it the case that your Bro IDS scripts are not generating false positives? Or that your users don't mind so much if a legitimate session gets killed? Or a compromise, where the proactive session-killing is only connected to IDS scripts that have particularly low false positives? 


It's in particular the last.

We get a false positive every couple of weeks, and of course we work on
ways to lower them.  (Bro is conducive to adding these sorts of exceptions.)

But we get dozens of true positives every day, which is the pay-off.
So, as your intrusion detection rules become asymtopically close to being absolutely precise (nearly zero false positives) they become viable access control rules, i.e. firewall rules. They're just, uh, *very* stateful :) 

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: