IDS mailing list archives
Re: About IPS testing
From: Tod Beardsley <todb () planb-security net>
Date: Fri, 21 Jan 2005 17:12:00 -0600
Julius Detritus wrote:
Also everybody knows that IPS are subject to performance issues when they are not tuned. So "old" and useless signatures are usually disabled in production. Having them enabled for tests will make results unreliable as they do not match production conditions.
I don't understand your logic of 'disabling old filters.'It'd be a pretty sorry state of affairs if your site with your expensive IPS got 0wned by Nimda/Slammer/Witty again.
An IPS that can't keep up on both old and busted /and/ new hotness would be a pretty useless IPS. You'd be better off just patching your exposed machines.
-tod (ObDisclaimer: I work at an IPS vendor, TippingPoint) -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: newbie quetsions Jose Maria Lopez (Jan 03)
- <Possible follow-ups>
- Re: newbie quetsions Jason (Jan 06)
- Re: newbie quetsions Dave Aitel (Jan 06)
- Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions (on how much Snort sucks) Dave Aitel (Jan 11)
- Re: newbie quetsions (on how much Snort sucks) Martin Roesch (Jan 11)
- Re: newbie quetsions Dave Aitel (Jan 06)
- RE: newbie quetsions Julius Detritus (Jan 12)
- Re: newbie quetsions Rainer Duffner (Jan 17)
- About IPS testing (was: newbie quetsions) Julius Detritus (Jan 19)
- Re: About IPS testing Tod Beardsley (Jan 24)
- Re: newbie quetsions Stefano Zanero (Jan 14)