IDS mailing list archives
Re: Intrusion Prevention
From: Vern Paxson <vern () icir org>
Date: Mon, 09 Dec 2002 23:13:13 -0800
FYI, the way it works is by responding to scans with bogus replies that are
unique to a particular scan. Then, when subsequent attack traffic includes
the fingerprint left in the bogus reply, the IDS immediately knows that the
traffic corresponds to an attacker (assuming it correctly identified the
initial recon scan as reflecting an attacker); hence, "no false positives".
Disclaimer: I'm on Forescout's technical advisory board, hence have a
direct interest in the company. (Anti-disclaimer: I joined their board
because I do think their technology is cool. :-)
Vern
Current thread:
- Intrusion Prevention intrusi0n (Dec 08)
- Re: Intrusion Prevention Paul Wayne Brager Jr (Dec 09)
- Re: Intrusion Prevention Raistlin (Dec 09)
- Re: Intrusion Prevention roy lo (Dec 10)
- Re: Intrusion Prevention Karl Lynn (Dec 11)
- <Possible follow-ups>
- RE: Intrusion Prevention Avi Chesla (Dec 09)
- Re: Intrusion Prevention Jill Tovey (Dec 09)
- Re: Intrusion Prevention Frank Knobbe (Dec 10)
- RE: Intrusion Prevention Adam Powers (Dec 10)
- RE: Intrusion Prevention Ralph Los (Dec 10)
- Re: Intrusion Prevention Vern Paxson (Dec 10)
- RE: Intrusion Prevention Chris Petersen (Dec 11)
- Intrusion Prevention Johnny Kho (Dec 23)
- RE: Intrusion Prevention Robert_Huber (Dec 11)
- RE: Intrusion Prevention Matthew L. McGuirl (Dec 11)
- RE: Intrusion Prevention Frank Knobbe (Dec 11)
- RE: Intrusion Prevention Carey, Steve T GARRISON (Dec 23)
- Re: Intrusion Prevention Dave Mitchell (Dec 23)
- Re: Intrusion Prevention Randy Taylor (Dec 24)
- Re: Intrusion Prevention Dave Mitchell (Dec 23)
- Re: Intrusion Prevention Rick Williams (Dec 27)
- OSEC [WAS: Re: Intrusion Prevention] Greg Shipley (Dec 29)
(Thread continues...)