Snort mailing list archives
Re: New Trend: Intrusion Prevention
From: Alberto Gonzalez <albertg () cerebro violating us>
Date: Fri, 13 Dec 2002 15:58:30 -0800
Why would you want to use an IPS to stop a SYN|FIN sweep? Portscans are the same ol thing nowadays. Not like in the past few years where new techniques would keep getting released. Your IPS software(appliance) should be tuned to defend against attacks not mere probes at your network. Heck there methods to trick nmap out there. I think if intrusion prevention is going to get anywhere, it needs to just concentrate on attacks, you don't want to overwhelm it. Or is it just me
that hasn't seen anything interesting in a portscan in the last oh say year?These are my opinions, I would love to hear others but lets keep it off-list..
Cheers! - Alberto Bob Dehnhardt wrote:
Everything I've seen about IPS is that it's intended as another facet of security, not as a replacement for IDS. IPS is useful for preventing attacks that can be identified with a high (99%+) degree of accuracy, like SYN/FIN sweeps. Attacks that may have a significant number of false positives are outside IPS's realm, since having that traffic dropped would likely affect normal network operations. IDS with a real live decision-making person will be used in those cases, just as today. There is no single solution, probably never will be. - Bob Bob Dehnhardt IT Operations Manager - Reno TriNet (775) 327-6407 -----Original Message-----From: Steve Halligan [mailto:giermo () geeksquad com] Sent: Friday, December 13, 2002 10:16 AMTo: 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail) Subject: RE: [Snort-users] New Trend: Intrusion PreventionI attended Infosecurity 2002 yesterday and there was much talk aboutintrusion detection going away, and intrusion prevention replacing it. Doesanyone know if there are any plans to include intrusion prevention functionality into Snort in the future?The future is now. http://www.snort.org/dl/contrib/patches/inline/ Also see Hogwash at: http://www.snort.org/dl/contrib/patches/hogwash/ Now one could (and I would) debate the premise that you stated, but that is a whole 'nother can of worms. -steve
-- The secret to success is to start from scratch and keep on scratching. ------------------------------------------------------- This sf.net email is sponsored by:With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: New Trend: Intrusion Prevention, (continued)
- Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
- Re: New Trend: Intrusion Prevention Kevin Black (Dec 15)
- Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
- RE: New Trend: Intrusion Prevention Nathan Whitehouse (Dec 13)
- RE: New Trend: Intrusion Prevention twig les (Dec 13)
- Re: New Trend: Intrusion Prevention Erick Mechler (Dec 13)
- Re: New Trend: Intrusion Prevention Alberto Gonzalez (Dec 13)