Snort mailing list archives
Re: [Emerging-Sigs] Reliability of signatures
From: Matt Olney <molney () sourcefire com>
Date: Fri, 11 Feb 2011 10:08:12 -0500
The key here is that network IDS is low-latency. There are solutions for SPAM that are established and proven. I'll let them do their jobs, because they can take their time to parse the email, consult spamhaus, etc... There is not a better solution for detecting the delivery of exploits, that is the job of an IDS. SPAM can lead you to an attack, or to a longer *****, but it isn't, in itself an attack. I agree there is a ton of metadata on the network that is incredibly useful both for correlation and forensics (see intel nuggets on Razorback). But again, that is parsing known protocols that are well formed. Easy at speed. On Fri, Feb 11, 2011 at 9:55 AM, Seth Hall <seth () remor com> wrote:
On Feb 10, 2011, at 9:55 AM, Matt Olney wrote:Also, SPAM isn't an IDS issue, at least from my point of view. I worryabout malicious, not asinine. Ouch, seriously? In my opinion, if it goes over the network it's an IDS issue. Sometimes it's incredible how many little, seemingly inconsequential bits of information will add up over time to mean something much different and much more important. Maybe the remote IP address sending spam doesn't mean much for an incident response team by itself, but if that IP address logs into some local box over SSH that would be worth looking into. .Seth
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] Reliability of signatures, (continued)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Jacob Kitchel (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Michael Scheidell (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Jacob Kitchel (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Martin Roesch (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Michael Scheidell (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Joel Esler (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Seth Hall (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 11)
- Re: [Emerging-Sigs] Reliability of signatures Crusty Saint (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matt Olney (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures Matthew Jonkman (Feb 10)
- Re: [Emerging-Sigs] Reliability of signatures List Subscriptions (Feb 10)
- Re: Reliability of signatures Jason Wallace (Feb 04)
- Re: Reliability of signatures Martin Holste (Feb 04)
- Re: Reliability of signatures Michael Scheidell (Feb 04)
- Re: Reliability of signatures Fraser, Hugh (Feb 07)