IDS mailing list archives
RE: Network hardware IPS
From: Dave Killion <Dkillion () netscreen com>
Date: Fri, 10 Oct 2003 10:56:50 -0700
This entire discussion has been my own personal opinion - this is not a NetScreen corporate stance. I have no intention of bringing NetScreen or its products into play - I've only commented on my personal experiences. If you infer otherwise, you're mistaken. I don't work for the PR group (obviously) - I write signatures, and deal with accuracy vs. detection issues everyday. I really hate Marketing spin, and generally try to avoid it. To make matters worse, I'm a pragmatist. I'm getting a little frustrated about this discussion, and perhaps it's showing. Knowing a particular HTTP attack detection signature, I can always invent a URL that I claim is valid, and then therefore will trigger a false positive. With that in mind, I have to go with best guess - the majority of the time, if I see cmd.exe in a URL, is it malicious? Most likely, yes. Blame my pragmatism for that. My whole point in this discussion has been the fact that for a given attack, it is possible to increase accuracy without reducing the detection rate through accuracy and context. That's really all there is to it. -Dave This e-mail reflects the personal opinion of the author. -- Unless explicitly so stated in the text, it does not represent an official position of NetScreen Technologies, Inc. This email contains material that is confidential. The content of this email is for the sole use of the intended recipient(s). Any review or distribution by persons other than the intended recipient(s) without the express permission of NetScreen Technologies, Inc. is strictly prohibited. If you are not the intended recipient, please contact the sender and delete/destroy all copies of this email and any related attachments. NetScreen does not guarantee the accuracy or completeness of third party materials or information.
Whoa... I didn't want to get involved in this discussion, but you leave me no other choice with that statement. Why would you want to punish an innocent web surfer for a stupid mistake or oversight of a web developer?
http://www.medstuff.com/showme.php?AWeird+BDoctor+CDDS+CMD.EXECUTION-STYLE_D ENTISTRY_ERRORS.html
or http://newz.com/query.asp?HReport.LBaltimore.CMD.EXECUTIVE-SUMMARY or (well, you get the point I hope) I don't know if Netscreen really wants to take the position that people "get what they deserve"... Regards, Frank
--------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- RE: Network hardware IPS, (continued)
- RE: Network hardware IPS david maynor (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 07)
- Re: Network hardware IPS Stefano Zanero (Oct 07)
- Re: Network hardware IPS George W. Capehart (Oct 08)
- RE: Network hardware IPS Dave Killion (Oct 08)
- RE: Network hardware IPS Frank Knobbe (Oct 09)
- RE: Network hardware IPS Kohlenberg, Toby (Oct 09)
- RE: Network hardware IPS Dave Killion (Oct 09)
- Re: Network hardware IPS Stefano Zanero (Oct 14)
- RE: Network hardware IPS Augusto Quadros Paes de Barros (Oct 14)
- RE: Network hardware IPS Dave Killion (Oct 14)
- RE: Network hardware IPS Frank Knobbe (Oct 14)