IDS mailing list archives
Re: CVE selection for IDS/IPS signature rules
From: Joel Esler <joel.esler () mac com>
Date: Thu, 05 Jun 2008 11:09:11 -0400
On Jun 3, 2008, at 3:00 PM, Enigma wrote:
This is a little off topic. Not knocking Sourcefire or VRT (3D is great and I use the VRT sigs all the time) but I have found these type of signatures to have the highest rate of false positives. Don't get me wrong, these are useful when there isn't anything else but signatures developed from public or at least seen-in-the-wild exploits are much more accurate.
I know that Sourcefire has a great false positive reporting method for rules. Pcap's are needed.
-- Joel Esler joel.esler () mac com http://blog.joelesler.net [m] ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: CVE selection for IDS/IPS signature rules abhicc285 (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Jose Nazario (Jun 03)
- <Possible follow-ups>
- Re: CVE selection for IDS/IPS signature rules Enigma (Jun 03)
- RE: CVE selection for IDS/IPS signature rules Dimitris Patsos (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Leon Ward (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Enigma (Jun 05)
- Re: CVE selection for IDS/IPS signature rules Joel Esler (Jun 05)
- RE: CVE selection for IDS/IPS signature rules Srinivasa Addepalli (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Ravi Chunduru (Jun 03)