Re: Phishing E-mail Procedures

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Thu, 26 Jan 2012 12:24:10 CST, Tim Doty said:
> "Default Permit"....  In short, it isn't something that security folks go preaching.

Marcus's point is that it's a *dumb* idea - any security folks preaching it should
probably be taken out back and shot.  Or maybe shot out front and made an
example of. ;)

The problem is all the little corner cases - everything from propping a door
open because you'll be right back to open a hole for port 22 for a vendor
support technician and not bothering to restrict by source IP address because
you don't know for sure but you *know* you'll close it right back up...

> "Enumerating Badness". This is closer to being accurate, but in security
> it is not preached, it is accepted.

Even if it's *accepted*, it's *still* a dumb idea, as every single site pnwed via
an sql injection will testify. ;)

> Guess what I do with Snort? I enumerate badness (detection rules are an
> example of enumeration and with snort we don't try to detect what is
> good, but what is undesired). Sorry, but I'm not giving up on snort.

And you know to add an "undesired" rule, how? ;)

Might be illustrative to turn that around for a little while - add some snort rules
to ignore known good traffic, and have it dump all the stuff it has neither "good"
nor "bad" rules someplace - you'll almost certainly find surprising stuff you didn't
know was on your network (I once made Steve Bellovin drop his fork at lunch
by telling him that somebody I know in this neck of the woods had actually
spotted RFC3514-tagged traffic in Comcast's production network.. :)

Attachment: _bin
Description: