IDS mailing list archives

Re: CVE selection for IDS/IPS signature rules

From: Joel Esler <joel.esler () mac com>
Date: Thu, 05 Jun 2008 11:09:11 -0400


On Jun 3, 2008, at 3:00 PM, Enigma wrote:

This is a little off topic. Not knocking Sourcefire or VRT (3D isgreat and I use the VRT sigs all the time) but I have found thesetype of signatures to have the highest rate of false positives.Don't get me wrong, these are useful when there isn't anything elsebut signatures developed from public or at least seen-in-the-wildexploits are much more accurate.

I know that Sourcefire has a great false positive reporting method forrules. Pcap's are needed.



--
Joel Esler
  joel.esler () mac com
  http://blog.joelesler.net
[m]




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Re: CVE selection for IDS/IPS signature rules abhicc285 (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Jose Nazario (Jun 03)
- <Possible follow-ups>
- Re: CVE selection for IDS/IPS signature rules Enigma (Jun 03)
  - RE: CVE selection for IDS/IPS signature rules Dimitris Patsos (Jun 03)
  - Re: CVE selection for IDS/IPS signature rules Leon Ward (Jun 03)
    - Re: CVE selection for IDS/IPS signature rules Enigma (Jun 05)
    - Re: CVE selection for IDS/IPS signature rules Joel Esler (Jun 05)
- RE: CVE selection for IDS/IPS signature rules Srinivasa Addepalli (Jun 03)
  - Re: CVE selection for IDS/IPS signature rules Ravi Chunduru (Jun 03)