Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Network hardware IPS
From: Dave Killion (Dkillionnetscreen.com)
Date: Tue Oct 07 2003 - 13:21:10 CDT
I wouldn't say "hardly ever", but you're right - it's difficult to get
good contexts a majority (over 50%) of the time. Which is why I mentioned
"find something unique to the attack, go for root cause, and get the
context as specific as possible" part.
"There are some sigs... you just can't reach. Which is what we had here
last week, which is the way he wants it. Well... he gets it..."
(Sorry - big Cool Hand Luke fan... ;) ).
Obviously I can't get through my point to Stefano, and I'm not bowing to
his. So I'm agreeing to disagree with him.
Anyway, anyone who's crazy enough to put "cmd.exe" in his path deserves
all the False Positives he can stomach. And quoting a 5-year old paper on
IDS evasion doesn't convince me.
If I can create signatures to detect the majority of important attacks
with a minimum of false positives, to the point where customers will buy
the product, then my job is successful.
What that magical point is, I'm not sure if it's mathematically
quantifiable. It comes down to the customer's personal requirements.
Which brings us full-circle to Marketing. Either you believe it, or you
don't. I'd suggest "Trust, but Verify". ;)
This email contains material that is confidential. The content of this
email is for the sole use of the intended recipient(s). Any review or
distribution by persons other than the intended recipient(s) without the
express permission of NetScreen Technologies, Inc. is strictly prohibited.
If you are not the intended recipient, please contact the sender and
delete/destroy all copies of this email and any related attachments.
NetScreen does not guarantee the accuracy or completeness of third party
materials or information.
From: david maynor [mailto:david.maynoroit.gatech.edu]
Sent: Tuesday, October 07, 2003 10:17 AM
To: Dave Killion
Cc: 'Stefano Zanero'; focus-idssecurityfocus.com
Subject: RE: Network hardware IPS
That is a nice example, but it hardly ever works like that. How about
you detect a worm that generates a lot of syns with a window size of
41425? You can write a sig that is dead on accurate but still detect
many false positives. You can't expect every attack to have
"written_by_phc" as a string in a packet.
- application/x-pkcs7-signature attachment: smime.p7s