Snort mailing list archives
Re: tippingpoint]
From: Gary Flynn <flynngn () jmu edu>
Date: Fri, 17 Oct 2003 09:32:22 -0400
John Sage wrote:
On Thu, Oct 16, 2003 at 07:48:41PM -0700, Geoff wrote:Ok had to respond to this one :)Implementation of an IPS requires that you only implement signatures that have a VERY low rate of false positive or traffic that you just flat out
>> don't care if it gets dropped.
"..only implement signatures that have a VERY low rate of falsepositive.."Yeah. That's certainly no problem, whatsoever :-/ And what do you do about traffic that represents unknown exploits?\
What do YOU do about traffic that represents unknown exploits? Some IDP devices have intelligence to detect violations of protocol. For example, fields that are too large that may indicate a generic buffer overflow attempt. Sure, some misbehaving applications may trigger it but simple monitoring before activating a filter will tell you that. What do YOU do about traffic that represents unknown exploits? A signature can be written to block packets that, for example, indicate a web transaction offering a MIME type of application/hta which may have been useful for blocking exploits of unpatched Internet Explorer users. Note that it would block a set of generic exploits of that type, not just a specific one. Will it catch all? Of course not. What will? Will it block wanted traffic? Not if you do your homework. You actually have to make a decision about what is wanted, what is needed, and what you're willing to pay in convenience and functionality for security. Signatures can be written to look for all types of behavior and set up to log traffic on the network to determine their effect before configuring them to block traffic. Like many other security devices, these products depend upon an intelligent implementer and operator. They're not for someone who wants a black box, who doesn't know or care what type of traffic is on their network, and is unable to analyze the traffic and signatures to configure the box for their particular circumstances. If you're a manager that wants a security product that stops known and unknown bad things, doesn't require any compromises, and doesn't require trained staff, keep looking. Try Orlando or Anaheim.
Again, what do you do about the exploits you **don't** know about?
Same thing firewalls, URLSCAN, email filters, and other security tools do. Make a cost benefit decision about certain types of behavior that are high risk and of little benefit and block them. What do YOU do? -- Gary Flynn Security Engineer - Technical Services James Madison University Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & ExpoThe Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tippingpoint] Geoff (Oct 16)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Frank Knobbe (Oct 17)
- Re: tippingpoint] Gary Flynn (Oct 17)
- Message not available
- Re: tippingpoint] John Sage (Oct 19)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Michael Sierchio (Oct 17)
- Re: tippingpoint] Geoff (Oct 17)
- <Possible follow-ups>
- FW: tippingpoint] Geoff Poer (Oct 20)