Re: Signature Counts between IDS's
From: Kurt Seifried (bugtraq@seifried.org)Date: 09/12/02
- Previous message: Curt Purdy: "RE: Protocol Analyzers not Packet Sniffers"
- In reply to: Gary Halleen: "RE: Signature Counts between IDS's"
- Next in thread: roy lo: "Re: Signature Counts between IDS's"
- Next in thread: robert.d.turner@bt.com: "RE: Signature Counts between IDS's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kurt Seifried" <bugtraq@seifried.org> To: "Gary Halleen" <ghalleen@cisco.com>, <SEdwards@toplayer.com>, <focus-ids@securityfocus.com> Date: Wed, 11 Sep 2002 17:05:53 -0600
Another muddy area: protocol detection, i.e. does it count as a single
signature ("anything on port 111 that represents wierd rpc traffic") I mean
obviously it's doing a lot more then a simple text matching pattern...
I think the only way to really evaluate this is run it through products like
Nessus/IDS blade informer. Of course then you get the "great, so your IDS
triggers on 5,000 FALSE alarms (although you may want to know about scans,
meaning they are NOT false).. so do you hire a Pen team to go up against it
(sounds expensive).
Ultimately it's like a lot of tech comparisions, totally meaningless since
we're not even sure what is being measured. Let alone how.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
- Previous message: Curt Purdy: "RE: Protocol Analyzers not Packet Sniffers"
- In reply to: Gary Halleen: "RE: Signature Counts between IDS's"
- Next in thread: roy lo: "Re: Signature Counts between IDS's"
- Next in thread: robert.d.turner@bt.com: "RE: Signature Counts between IDS's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
