IDS mailing list archives

RE: IDS alerts / second - Correlation - Virtualization

From: Frank Knobbe <frank () knobbe us>
Date: Sun, 24 Jul 2005 16:02:32 -0500

On Sun, 2005-07-24 at 13:30 -0700, Swift, David wrote:

Then the data is fed back into the IPS engine and Firewall to
intelligently turn on signatures to block events that the protected
network is vulnerable to, firewall unwanted ports,


Why were the "unwanted ports" open in the first place?

and ideally to turn
off alerting for events the protected network is not vulnerable to.


You meant to say "network is not *known* to be vulnerable to". The
knowing part is the tricky part. I'm not start with 0-day issues. Even
without those, the vulnerability landscape is in flux. What happens when
an not-vulnerable server  dies, and gets restored to a vulnerable
version? Your vulnerability scan engine would have to constantly run
scans.

Again, why not detect "compromises" instead of "assumed/confirmed
vulnerability states"?

Regards,
Frank
(replying without mentioning product/vendor names.... yay!)

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 25)
- RE: IDS alerts / second - Correlation - Virtualization Frank Knobbe (Jul 25)
  - Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 26)
    - Re: IDS alerts / second - Correlation - Virtualization Ron Gula (Jul 27)
- <Possible follow-ups>
- RE: IDS alerts / second - Correlation - Virtualization Palmer, Paul (ISSAtlanta) (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Nathan Davidson (Jul 26)
- RE: IDS alerts / second - Correlation - Virtualization Swift, David (Jul 27)
  - Re: IDS alerts / second - Correlation - Virtualization william taft (Jul 29)
  - Message not available
    - RE: IDS alerts / second - Correlation - Virtualization Sanjay Rawat (Jul 29)
- RE: IDS alerts / second - Correlation - Virtualization Biswas, Proneet (Jul 27)