[unisog] Intrusion Prevention

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jan 9 23:06:37 GMT 2003


On Fri, 10 Jan 2003 10:20:10 +1300, Russell Fulton said:

> I agree with Gary the only sure way to find out what works it to try
> them out.  That said we see such a high rate of false +ves from our IDS
> (even after disabling many rules) that I would feel very nervous about
> acting on anything it produces without a good deal of post processing
> (either automatic or human).
> I certainly would not want to do anything on the basis of a single
> detect unless the signature was pretty well foolproof and in my
> experience most aren't.

My personal favorite is watching all the IDS's and/or virus detectors
go off whenever somebody posts to Unisog or Incidents or similar lists
about an attack of Nimda/CodeRed/Slapper/whatever - and includes logs. ;)

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030109/9a4e78fe/attachment-0006.bin


More information about the unisog mailing list