![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: tippingpoint]
From: John Sage <jsage () finchhaven com>
Date: Sun, 19 Oct 2003 08:50:14 -0700
On Fri, Oct 17, 2003 at 10:12:20AM -0700, Geoff wrote:
John seems little bitter :)
/* snip */ Hardly. The thread as originally opened: From: Kerry Cox <kerry.cox () ksl com> To: snort-users () lists sourceforge net Subject: [Snort-users] tippingpoint Date: 14 Oct 2003 10:49:27 -0600 "The Dell sales guy has been talking to management trying to sell them on this intrusion prevention solution from TippingPoint Technologies. Management, of course, is curious and wonders why we even use Snort when we could spend money on a solution rather than have it free. :-P" /* snip */ So we start out with a marketing guy from Dell trying to sell something. This post was quickly responded to in a manner that suggests we really have a new buzz-word -- IPS (Intrusion Prevention System) -- that will imminently replace IDS's (Intrusion Detection System): From: Sean Perry <sean.perry () intransa com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] tippingpoint Date: Tue, 14 Oct 2003 10:38:37 -0700 "IPS vendors and the trade mags have been talking about how useless IDS are lately. You might want to sniff around on google and the like. At least one mag (lost the name) had an article a month or three back stating that IDS would be dead and gone in 2 years." /* snip */ Here we have IPS vendors (with their own obvious self-interest) and the "trade mags" (who live by constantly hawking The Next Great Thing(tm)) pushing one acronym over another in next-to-absolute terms. "..talking about how useless IDS are.." Yeah. Right. That's why there's so many in use in production environments right now. *My* point was addressed to the details of this Brave New Tool(tm) -- the IDS -- as it was presented here: From: Geoff <gpoer () arizona edu> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] tippingpoint] Date: Thu, 16 Oct 2003 19:48:41 -0700 "Their are plenty of companies running IPS and running it successfully. Implementation of an IPS requires that you only implement signatures that have a VERY low rate of false positive or traffic that you just flat out don't care if it gets dropped. For example: In our testing we dropped ICMP stacheldraht Agent to Server Hello packets. It is a very easy sig to spot. the word "skillz" inside an ICMP echo reply packet. Rarely are we going to see that one in the wild with Business critical traffic. We also dropped ICMP Welchia packets, they consist of an echo request with 64 A's." /* snip */ So we have presented to us these IPS strong points: 1) implement signatures with a low false positive rate 2) detect ancient, well-known signatures And I ask: this makes an IPS better or different than an IDS (aka: snort) how? By doing something different *after* the packet is identified as malicious? uh... OK. My real point, perhaps not quickly stated, is that any tool needs to be used with great thought, study, and understanding, and not just because some marketdroid is trying to sell it, nor because it's getting a lot of write-ups in the press. Remember: defense in depth, not defense by marketing. - John -- "Most people don't type their own logfiles; but, what do I care?" - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tippingpoint] Geoff (Oct 16)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Frank Knobbe (Oct 17)
- Re: tippingpoint] Gary Flynn (Oct 17)
- Message not available
- Re: tippingpoint] John Sage (Oct 19)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Michael Sierchio (Oct 17)
- Re: tippingpoint] Geoff (Oct 17)
- <Possible follow-ups>
- FW: tippingpoint] Geoff Poer (Oct 20)