IDS mailing list archives
RE: Recommended IPS signature set
From: "Yahsodhan Deshpande" <yahsodhan.deshpande () nevisnetworks com>
Date: Mon, 10 Dec 2007 10:12:25 -0800
Most of the 'Out-of-box' configurations are such that their device performs better. So they would disable the signatures which would affect the performance. You would observe that most of the signatures where pattern matching is involved per packet (independent of the flow, or specific port number) would always be disabled. Other reason for disabling non critical signatures is that some of the devices have limit on number of patterns that can be loaded in the fast memory, without the need of swapping out. Thus they try to limit the number of patterns by tuning the number of signatures. Some of the signatures are disabled because of high rate of false positives. Although none of the products would say the above, that is the primary reason. Any ways it is better to tune the IDS/IPS device as per individual environment so as to get maximum performance and less false positives. Regards, Yashodhan -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ravi Chunduru Sent: Saturday, December 08, 2007 8:17 AM To: focus-ids () securityfocus com Subject: Recommended IPS signature set i understand from several emails in this list is that UTM or IPS devices enable only subset of signatures for detection as well as blocking - it is being termed as 'sane IPS', 'out-of-box IPS' , recommended etc.. is there any criteria (standard or non-standard) used in categorizing signature as 'recommended'? is it based on CVE priority? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Recommended IPS signature set Ravi Chunduru (Dec 10)
- Re: Recommended IPS signature set Jeremy Bennett (Dec 10)
- RE: Recommended IPS signature set Yahsodhan Deshpande (Dec 10)