RE: Intrusion Prevention

From: Matthew L. McGuirl (mmcguirl@lucidsecurity.com)
Date: 12/11/02

Next message: Anton A. Chuvakin: "RE: Firewall Activity analysis"

Previous message: larosa, vjay: "DNS packet analysis."
Maybe in reply to: intrusi0n@cox.net: "Intrusion Prevention"
Next in thread: Frank Knobbe: "RE: Intrusion Prevention"
Reply: Frank Knobbe: "RE: Intrusion Prevention"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 11 Dec 2002 15:30:51 -0500
From: "Matthew L. McGuirl" <mmcguirl@lucidsecurity.com>
To: <Robert_Huber@bankone.com>, <focus-ids@securityfocus.com>

ActiveScout's whole approach to the issue of reducing false positives is to assume that all attacks occur after a reconnaissance effort has been conducted. While this is certainly true in many cases it is unlikely that _all_ attacks follow recon.

As far as I am able to determine (I've not yet tested their product) their "mark" is a combination of a source IP and some dummy data (probably a false username, password, etc.) that is unique to that particular recon attempt. If you assume that if their product can successfully identify all of its "marks" when they return it is then within reason to take their marketing department's word that they have "zero false positives." When there is no hard & fast definition of "zero false positives" by which such claims can be measured those who market IDS/IPS products can position their argument in such a way that they're not technically wrong.

We come at the issue from a very different angle. If anyone would like to know more about it please contact me off list.

Happy Holidays,

Matt

Matt McGuirl
Lucid Security Corporation
Email: mmcguirl@lucidsecurity.com

-----Original Message-----
From: Robert_Huber@bankone.com [mailto:Robert_Huber@bankone.com]
Sent: Wednesday, December 11, 2002 7:59 AM
To: focus-ids@securityfocus.com
Subject: RE: Intrusion Prevention

From what I understand, ForeScout tags all scans, so when they see a real attack and pick up the tag and accurately identify it. This works fine for most stuff; however, it assumes that all atacks start with a scan of some sort.

Next message: Anton A. Chuvakin: "RE: Firewall Activity analysis"
Previous message: larosa, vjay: "DNS packet analysis."
Maybe in reply to: intrusi0n@cox.net: "Intrusion Prevention"
Next in thread: Frank Knobbe: "RE: Intrusion Prevention"
Reply: Frank Knobbe: "RE: Intrusion Prevention"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]