RE: Intrusion Prevention

["Matthew L. McGuirl" <mmcguirl () lucidsecurity com>]

ActiveScout's whole approach to the issue of reducing false positives is to assume that all attacks occur after a 
reconnaissance effort has been conducted. While this is certainly true in many cases it is unlikely that _all_ attacks 
follow recon.

As far as I am able to determine (I've not yet tested their product) their "mark" is a combination of a source IP and 
some dummy data (probably a false username, password, etc.) that is unique to that particular recon attempt. If you 
assume that if their product can successfully identify all of its "marks" when they return it is then within reason to 
take their marketing department's word that they have "zero false positives." When there is no hard & fast definition 
of "zero false positives" by which such claims can be measured those who market IDS/IPS products can position their 
argument in such a way that they're not technically wrong.

We come at the issue from a very different angle. If anyone would like to know more about it please contact me off list.

Happy Holidays,

Matt

Matt McGuirl                                       
Lucid Security Corporation            
Email: mmcguirl () lucidsecurity com

-----Original Message-----
From: Robert_Huber () bankone com [mailto:Robert_Huber () bankone com] 
Sent: Wednesday, December 11, 2002 7:59 AM
To: focus-ids () securityfocus com
Subject: RE: Intrusion Prevention

> From what I understand, ForeScout tags all scans, so when they see a real attack and pick up the tag and accurately 
> identify it.  This works fine for most stuff; however, it assumes that all atacks start with a scan of some sort.

Attachment: Matt McGuirl.vcf
Description: Matt McGuirl.vcf