[unisog] Intrusion Prevention

Russell Fulton r.fulton at auckland.ac.nz
Thu Jan 9 21:20:10 GMT 2003


On Fri, 2003-01-10 at 08:01, Gary Flynn wrote:
> 
> Best way to find out if a particular product will work
> in your environment is to try it out. Turn all detection
> and state management off and then very carefully start
> enabling things one by one to see how it performs. If
> everything performs OK in a detection mode, then you can
> start trying blocking traffic matching certain signatures,
> again very carefully.

I agree with Gary the only sure way to find out what works it to try
them out.  That said we see such a high rate of false +ves from our IDS
(even after disabling many rules) that I would feel very nervous about
acting on anything it produces without a good deal of post processing
(either automatic or human).
I certainly would not want to do anything on the basis of a single
detect unless the signature was pretty well foolproof and in my
experience most aren't.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin



More information about the unisog mailing list