IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: amount of alarms generated by IDS

From: Ravishankar Ithal <ravi_ithal () yahoo com>
Date: Mon, 10 May 2004 21:45:51 -0700 (PDT)
"expected" is the keyword here. While promiscuous mode IDS got away with
logging alarms because of FPs, inline IDS(or IPS) has more to lose. If it
generates a lot of FPs and drops good packets, network usability is at stake.
Third party correlation tools can't help inline IDS at all. For these reasons,
the initial configs for inline IDS devices should be much more stringent and
should contain high confidence signatures only.

-Ravishankar Ithal


--- Bhargav Bhikkaji <bbhikkaji () yahoo co in> wrote:

In-Reply-To: <20040507072116.73229.qmail () web12822 mail yahoo com>

 The right-out-of-the-box configs for an inline device are

expected to generate much fewer FPs since admins don't have all the time in

the

world to tune the rules unlike on a promiscuous mode device.



I am not sure how Inline IDS will generate fewer FP's ?. 

-Bhargav

---------------------------------------------------------------------------

---------------------------------------------------------------------------





        
                
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: