IDS mailing list archives
RE: Network hardware IPS
From: Dave Killion <Dkillion () netscreen com>
Date: Tue, 7 Oct 2003 11:21:10 -0700
I wouldn't say "hardly ever", but you're right - it's difficult to get good contexts a majority (over 50%) of the time. Which is why I mentioned "find something unique to the attack, go for root cause, and get the context as specific as possible" part. "There are some sigs... you just can't reach. Which is what we had here last week, which is the way he wants it. Well... he gets it..." (Sorry - big Cool Hand Luke fan... ;) ). Obviously I can't get through my point to Stefano, and I'm not bowing to his. So I'm agreeing to disagree with him. Anyway, anyone who's crazy enough to put "cmd.exe" in his path deserves all the False Positives he can stomach. And quoting a 5-year old paper on IDS evasion doesn't convince me. If I can create signatures to detect the majority of important attacks with a minimum of false positives, to the point where customers will buy the product, then my job is successful. What that magical point is, I'm not sure if it's mathematically quantifiable. It comes down to the customer's personal requirements. Which brings us full-circle to Marketing. Either you believe it, or you don't. I'd suggest "Trust, but Verify". ;) -Dave This email contains material that is confidential. The content of this email is for the sole use of the intended recipient(s). Any review or distribution by persons other than the intended recipient(s) without the express permission of NetScreen Technologies, Inc. is strictly prohibited. If you are not the intended recipient, please contact the sender and delete/destroy all copies of this email and any related attachments. NetScreen does not guarantee the accuracy or completeness of third party materials or information. -----Original Message----- From: david maynor [mailto:david.maynor () oit gatech edu] Sent: Tuesday, October 07, 2003 10:17 AM To: Dave Killion Cc: 'Stefano Zanero'; focus-ids () securityfocus com Subject: RE: Network hardware IPS That is a nice example, but it hardly ever works like that. How about you detect a worm that generates a lot of syns with a window size of 41425? You can write a sig that is dead on accurate but still detect many false positives. You can't expect every attack to have "written_by_phc" as a string in a packet.
Attachment:
smime.p7s
Description:
Current thread:
- RE: Network hardware IPS, (continued)
- RE: Network hardware IPS Ron Gula (Oct 02)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- Re: Network hardware IPS david maynor (Oct 07)
- Re: Network hardware IPS Gary Flynn (Oct 08)
- Re: Network hardware IPS Gary Flynn (Oct 06)
- RE: Network hardware IPS Ron Gula (Oct 02)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)
- RE: Network hardware IPS Frank Knobbe (Oct 14)