IDS mailing list archives
RE: Intrusion Prevention
From: "Matthew L. McGuirl" <mmcguirl () lucidsecurity com>
Date: Wed, 11 Dec 2002 15:30:51 -0500
ActiveScout's whole approach to the issue of reducing false positives is to assume that all attacks occur after a reconnaissance effort has been conducted. While this is certainly true in many cases it is unlikely that _all_ attacks follow recon. As far as I am able to determine (I've not yet tested their product) their "mark" is a combination of a source IP and some dummy data (probably a false username, password, etc.) that is unique to that particular recon attempt. If you assume that if their product can successfully identify all of its "marks" when they return it is then within reason to take their marketing department's word that they have "zero false positives." When there is no hard & fast definition of "zero false positives" by which such claims can be measured those who market IDS/IPS products can position their argument in such a way that they're not technically wrong. We come at the issue from a very different angle. If anyone would like to know more about it please contact me off list. Happy Holidays, Matt Matt McGuirl Lucid Security Corporation Email: mmcguirl () lucidsecurity com -----Original Message----- From: Robert_Huber () bankone com [mailto:Robert_Huber () bankone com] Sent: Wednesday, December 11, 2002 7:59 AM To: focus-ids () securityfocus com Subject: RE: Intrusion Prevention
From what I understand, ForeScout tags all scans, so when they see a real attack and pick up the tag and accurately identify it. This works fine for most stuff; however, it assumes that all atacks start with a scan of some sort.
Attachment:
Matt McGuirl.vcf
Description: Matt McGuirl.vcf
Current thread:
- Re: Intrusion Prevention, (continued)
- Re: Intrusion Prevention Karl Lynn (Dec 11)
- RE: Intrusion Prevention Avi Chesla (Dec 09)
- Re: Intrusion Prevention Jill Tovey (Dec 09)
- Re: Intrusion Prevention Frank Knobbe (Dec 10)
- RE: Intrusion Prevention Adam Powers (Dec 10)
- RE: Intrusion Prevention Ralph Los (Dec 10)
- Re: Intrusion Prevention Vern Paxson (Dec 10)
- RE: Intrusion Prevention Chris Petersen (Dec 11)
- Intrusion Prevention Johnny Kho (Dec 23)
- RE: Intrusion Prevention Robert_Huber (Dec 11)
- RE: Intrusion Prevention Matthew L. McGuirl (Dec 11)
- RE: Intrusion Prevention Frank Knobbe (Dec 11)
- RE: Intrusion Prevention Carey, Steve T GARRISON (Dec 23)
- Re: Intrusion Prevention Dave Mitchell (Dec 23)
- Re: Intrusion Prevention Randy Taylor (Dec 24)
- Re: Intrusion Prevention Dave Mitchell (Dec 23)
- Re: Intrusion Prevention Rick Williams (Dec 27)
- OSEC [WAS: Re: Intrusion Prevention] Greg Shipley (Dec 29)
- NSS (was Re: Intrusion Prevention) Randy Taylor (Dec 30)