IDS mailing list archives
Re: Alarm response strategies
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 2 Aug 2004 11:23:05 +1200
On Mon, Jul 26, 2004 at 09:50:16PM -0400, Tony Carter wrote:
Rob, Your argument is valid for a signature based IPS. But who makes one of those?? That's why you need protocol/anomaly/behavior based IPS. They are far less prone to false positives. Your UDP DOS may have an impact
Huh!?! Your definition of "false positive" must differ from mine something chronic :-) You are correct, *by definition* an anomaly based IDS/IPS will never have any false positives - because it only triggers on anomalies - which are defined by it. A "recursive-trusim" or the like :-) That does not mean they aren't wrong decisions at the human level (which is all that really matters). On nice, well defined networks (like DMZes), they can work well, but I've found that on WANs, full of all sorts of wierd traffic that changes on a daily/hourly basis, sig-based still rules supreme. As usual, it's what works best in your environment I suppose... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Alarm response strategies Jason Haar (Aug 03)