Re: Firewall Activity analysis
From: Matt Harris (mdh@unix.si.edu)
Date: 12/11/02
- Previous message: Frank Knobbe: "RE: Intrusion Prevention"
- In reply to: Anton A. Chuvakin: "RE: Firewall Activity analysis"
- Next in thread: Matthew F. Caldwell: "RE: Firewall Activity analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Dec 2002 17:11:45 -0500 From: Matt Harris <mdh@unix.si.edu> To: "Anton A. Chuvakin" <anton@chuvakin.org>, focus-ids@securityfocus.com
"Anton A. Chuvakin" wrote:
>
> And the dangerous thing about jumping in and implementing some simple
> rules (such as "connection failed -> conn successful"), might create a
> nice little (well, BIG actually!) "false-positive machine" and NIDS
> systems already provide plenty of that.
Just imagine if an SSL web server (port 443) had images on it hosted on
the same system on an insecure virtual host (port 80) and the image
server went down (failed connection), then they clicked a link to
another document on the secure server (successful connection)... It
would more than likely be going off for everyone hitting the web site...
For a busy site, this could spell disaster.
-- /* * * Matt Harris - Senior UNIX Systems Engineer * Smithsonian Institution, OCIO * */
- Next message: Matthew F. Caldwell: "RE: Firewall Activity analysis"
- Previous message: Frank Knobbe: "RE: Intrusion Prevention"
- In reply to: Anton A. Chuvakin: "RE: Firewall Activity analysis"
- Next in thread: Matthew F. Caldwell: "RE: Firewall Activity analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
