IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Network hardware IPS

From: Dave Killion <Dkillion () netscreen com>
Date: Fri, 10 Oct 2003 10:56:50 -0700
This entire discussion has been my own personal opinion - this is not a
NetScreen corporate stance.  I have no intention of bringing NetScreen or
its products into play - I've only commented on my personal experiences.  If
you infer otherwise, you're mistaken.

I don't work for the PR group (obviously) - I write signatures, and deal
with accuracy vs. detection issues everyday.  I really hate Marketing spin,
and generally try to avoid it.  To make matters worse, I'm a pragmatist.

I'm getting a little frustrated about this discussion, and perhaps it's
showing.  

Knowing a particular HTTP attack detection signature, I can always invent a
URL that I claim is valid, and then therefore will trigger a false positive.
With that in mind, I have to go with best guess - the majority of the time,
if I see cmd.exe in a URL, is it malicious?  Most likely, yes.  Blame my
pragmatism for that.

My whole point in this discussion has been the fact that for a given attack,
it is possible to increase accuracy without reducing the detection rate
through accuracy and context.  That's really all there is to it.

-Dave

This e-mail reflects the personal opinion of the author.
 -- Unless explicitly so stated in the text, it does not represent an
    official position of NetScreen Technologies, Inc.

This email contains material that is confidential.  The content of this
email is for the sole use of the intended recipient(s).  Any review or
distribution by persons other than the intended recipient(s) without the
express permission of NetScreen Technologies, Inc. is strictly prohibited.
If you are not the intended recipient, please contact the sender and
delete/destroy all copies of this email and any related attachments.
NetScreen does not guarantee the accuracy or completeness of third party
materials or information.






Whoa...

I didn't want to get involved in this discussion, but you leave me no
other choice with that statement. Why would you want to punish an
innocent web surfer for a stupid mistake or oversight of a web
developer?



http://www.medstuff.com/showme.php?AWeird+BDoctor+CDDS+CMD.EXECUTION-STYLE_D
ENTISTRY_ERRORS.html

 or
http://newz.com/query.asp?HReport.LBaltimore.CMD.EXECUTIVE-SUMMARY
 or
(well, you get the point I hope)

I don't know if Netscreen really wants to take the position that people
"get what they deserve"...

Regards,
Frank



---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: