Re: Alarm response strategies

[Jason Haar <Jason.Haar () trimble co nz>]

On Mon, Jul 26, 2004 at 09:50:16PM -0400, Tony Carter wrote:
> Rob,
> Your argument is valid for a signature based IPS. But who makes one of  
> those?? That's why you need protocol/anomaly/behavior based IPS. They  
> are far less prone to false positives.  Your UDP DOS may have an impact  

Huh!?! Your definition of "false positive" must differ from mine
something chronic :-)

You are correct, *by definition* an anomaly based IDS/IPS will never have
any false positives - because it only triggers on anomalies - which are
defined by it. A "recursive-trusim" or the like :-)

That does not mean they aren't wrong decisions at the human level (which is
all that really matters). On nice, well defined networks (like DMZes), they
can work well, but I've found that on WANs, full of all sorts of wierd
traffic that changes on a daily/hourly basis, sig-based still rules supreme.

As usual, it's what works best in your environment I suppose...

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------