IDS mailing list archives
Re: Firewall Activity analysis
From: Matt Harris <mdh () unix si edu>
Date: Wed, 11 Dec 2002 17:11:45 -0500
"Anton A. Chuvakin" wrote:
And the dangerous thing about jumping in and implementing some simple rules (such as "connection failed -> conn successful"), might create a nice little (well, BIG actually!) "false-positive machine" and NIDS systems already provide plenty of that.
Just imagine if an SSL web server (port 443) had images on it hosted on the same system on an insecure virtual host (port 80) and the image server went down (failed connection), then they clicked a link to another document on the secure server (successful connection)... It would more than likely be going off for everyone hitting the web site... For a busy site, this could spell disaster. -- /* * * Matt Harris - Senior UNIX Systems Engineer * Smithsonian Institution, OCIO * */
Current thread:
- Firewall Activity analysis Terry Ziemniak (Dec 11)
- <Possible follow-ups>
- RE: Firewall Activity analysis Matthew F. Caldwell (Dec 11)
- RE: Firewall Activity analysis Anton A. Chuvakin (Dec 11)
- Re: Firewall Activity analysis Matt Harris (Dec 11)
- RE: Firewall Activity analysis Anton A. Chuvakin (Dec 11)
- RE: Firewall Activity analysis Matthew F. Caldwell (Dec 12)
- RE: Firewall Activity analysis Anton Chuvakin (Dec 12)
- H/N IPS -what is there? Talisker (Dec 12)
- RE: Firewall Activity analysis Anton Chuvakin (Dec 12)