[Dshield] InMon Corp.'s internal IDS
Bo.Mendenhall at hsc.utah.edu
Thu Apr 29 06:00:13 GMT 2004
When loading Snort rules into Traffic Server you need to keep in mind
Traffic Server is seeing only sampled packet headers. Any rule that
further than 128 bytes into the packet is unlikely to fire since most
implementations only capture the first 128 bytes of the packet. In
connection following is impossible since packets are randomly sampled,
any rules that depend on stateful packet inspection will fail.
It appears to have some legitimate use depending on what you are tyring
to get out of it ;)
>>> peteoutside at yahoo.com 4/28/2004 6:21:16 AM >>>
Just saw the following this morning:
The InMon corporation has developed an IDS solution which monitors
internal traffic flow instead of just the perimeter in order to catch
worms and such.
Your thoughts and comments on this are invited.
For myself, I wonder if this must involve some level of anomaly
detection, and if so, I wonder by what methods they assess what is
"anomalous enough." Same problems I've been working on since I entered
this field (of course, that was only six months ago).
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list