[unisog] Intrusion Prevention

Russell Fulton r.fulton at auckland.ac.nz
Thu Jan 9 21:20:10 GMT 2003

On Fri, 2003-01-10 at 08:01, Gary Flynn wrote:
> Best way to find out if a particular product will work
> in your environment is to try it out. Turn all detection
> and state management off and then very carefully start
> enabling things one by one to see how it performs. If
> everything performs OK in a detection mode, then you can
> start trying blocking traffic matching certain signatures,
> again very carefully.

I agree with Gary the only sure way to find out what works it to try
them out.  That said we see such a high rate of false +ves from our IDS
(even after disabling many rules) that I would feel very nervous about
acting on anything it produces without a good deal of post processing
(either automatic or human).
I certainly would not want to do anything on the basis of a single
detect unless the signature was pretty well foolproof and in my
experience most aren't.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the unisog mailing list