|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Validating IDS Rulesets
From: rob (robert_david_graham
YAHOO.COM)Date: Thu Oct 19 2000 - 20:16:26 CDT
- Next message: Robert Graham: "Rapid response"
- Previous message: Brian Bartholomew: "Re: Validating IDS Rulesets"
- In reply to: Joshua Krage: "Validating IDS Rulesets"
- Reply: rob: "Re: Validating IDS Rulesets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----Original Message-----
>From: Joshua Krage
>How do you (as IDS vendor or IDS tester/architect) validate your chosen
>IDSs' rulesets?
>...
>Has anyone put together a few hundred megabytes of network traces that
>can be tcpreplay'd past your IDS sensors and trigger every known alert?
That is exactly how we do it. We have at least one tracefile for every
signature. Every release gets tested to validate that they all trigger. We
have the same thing for false positives: a directory of tracefiles that
should trigger NO alerts.
For example, we had to release a new update to the engine to respond to the
recently announced Microsoft IIS exploit last Tuesday. Tto truly catch this,
you need to fully decode UTF8 rather than match text signatures, so it
needed to be an engine update rather than a signature update. Before we
released the update, we re-ran the major part of our tracefile library
through the sensor to validate that nothing had changed.
Robert Graham
CTO/Network ICE
_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com
- Next message: Robert Graham: "Rapid response"
- Previous message: Brian Bartholomew: "Re: Validating IDS Rulesets"
- In reply to: Joshua Krage: "Validating IDS Rulesets"
- Reply: rob: "Re: Validating IDS Rulesets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]