Re: AW: Gateway IDS
From: Frank Knobbe (fknobbe@knobbeits.com)Date: 06/28/02
- Previous message: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Jochen Vogel: "AW: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Frank Knobbe <fknobbe@knobbeits.com> To: Jochen Vogel <jvogel@it-sec.de> Date: 27 Jun 2002 23:48:14 -0500
On Thu, 2002-06-27 at 03:31, Jochen Vogel wrote:
> thx for your replies,
>
> i seems there is a great interesst.
>
> i will look at hogwash and ianīs project.
>
> onsecure seems to be good too.
>
> To send RST packets or blocking the SRC IP over OPSEC
> is not really good because to bypass the system about
> latency or IP stack modifying additional IP blocking
> can end in DOS if i spoof bad packets with your partners
> source. the only way is:
Yeah, for blind blocking that is correct. When I wrote SnortSam, I tried
to include countermeasures that can reduce the risk of DoS' (white-list,
rollback support). You are correct, though. Blocking (or sniping
sessions) is not for the faint of heart. You need to know your network
well.
On the other hand, you can shoot yourself in the foot with GIDS like
Hogwash as well. For example, most shell code signatures snort has are
often triggered falsely. One annoying one was the RCPT TO overflow
signature. While that may just be annoying for an IDS that only alerts,
a GIDS would not pass that packet through and you would miss out on
legitimate traffic. False positives in GIDS take on a different
dimension.
Regards,
Frank
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Jochen Vogel: "AW: Gateway IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
