Snort mailing list archives

Re: tippingpoint]

From: John Sage <jsage () finchhaven com>
Date: Thu, 16 Oct 2003 23:52:38 -0700

On Thu, Oct 16, 2003 at 07:48:41PM -0700, Geoff wrote:

Ok had to respond to this one :)


/* snip */

Implementation of an IPS requires that you only implement signatures that 
have a
VERY low rate of false positive or traffic that you just flat out don't 
care if
it gets dropped.


"..only implement signatures that have a VERY low rate of false
positive.." 

Yeah. That's certainly no problem, whatsoever :-/

And what do you do about traffic that represents unknown exploits?

For example: In our testing we dropped ICMP stacheldraht 
Agent
to Server Hello packets. It is a very easy sig to spot. the word
"skillz" inside an ICMP echo reply packet. Rarely are we going to see that 
one
in the wild with Business critical traffic.


Stacheldraht? You gotta be kidding. How old is that?

Again, what do you do about the exploits you **don't** know about?

We also dropped ICMP Welchia
packets, they consist of an echo request with 64 A's. A well known false
positive for that signature is the Yahoo keep alive packets for Instant
Messenger. We made the decision that we simply do not care about that 
traffic.


Well, duh..


You seem very well prepared to protect yourself against the known...



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: tippingpoint] Geoff (Oct 16)
- Re: tippingpoint] John Sage (Oct 17)
  - Re: tippingpoint] Frank Knobbe (Oct 17)
  - Re: tippingpoint] Gary Flynn (Oct 17)
  - Message not available
    - Re: tippingpoint] John Sage (Oct 19)
- Re: tippingpoint] Michael Sierchio (Oct 17)
  - Re: tippingpoint] Geoff (Oct 17)
- <Possible follow-ups>
- FW: tippingpoint] Geoff Poer (Oct 20)