CVE selection for IDS/IPS signature rules
|
View:
New views
11 Messages
—
Rating Filter:
Alert me
|
 |
CVE selection for IDS/IPS signature rules
by Ravi Chunduru
::
Rate this Message:
Hi,
There are over 30000 CVE vulnerability reports. Many IDS/IPS devices have around 4000-5000 signature rules. My guess is that these signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 CVEs, that is, significant number of CVEs are not covered by IDS/IPS devices. I am guessing that there is reason for this. IDS/IPS vendors may be selecting few CVEs for developing signatures. What is the selection criteria followed in industry? One criteria, I know is that Network IDS/IPS devices don't need to worry about attacks that can only be mounted on the local machine, that is, NIDS/NIPS devices only need to worry about detection of attacks mounted remotely. Are there any other considerations? Thanks Ravi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: CVE selection for IDS/IPS signature rules
by rgula@tenablesecurity.com
::
Rate this Message:
Ravi Chunduru wrote:
> Hi, > > There are over 30000 CVE vulnerability reports. Many IDS/IPS devices > have around 4000-5000 signature rules. My guess is that these > signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 > CVEs, that is, significant number of CVEs are not covered by IDS/IPS > devices. > > I am guessing that there is reason for this. IDS/IPS vendors may be > selecting few CVEs for developing signatures. What is the selection > criteria followed in industry? One criteria, I know is that Network > IDS/IPS devices don't need to worry about attacks that can only be > mounted on the local machine, that is, NIDS/NIPS devices only need to > worry about detection of attacks mounted remotely. Are there any other > considerations? > > Thanks > Ravi Hi Ravi, There are several reasons, probably more. Some NIDS vendors try to code for generic exploit vectors and not specific vulnerabilities. Some try to do both. Many of the CVEs not covered are for products that have come and gone, are very old, don't work over TCP/IP and so on. Some CVE entries focus on weak encryption and denial of service attacks which can be difficult to see with NIDS technology. Ron Gula Tenable Network Security http://www.nessus.org ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
|
|
|
RE: CVE selection for IDS/IPS signature rules
by Srinivasa Addepalli
::
Rate this Message:
You got very good answers from Ron. I try to give some specifics. 1. Generic signatures There are close to 10000 XSS and SQL injection vulnerabilities (based on search in www.osvdb.org). Some IPS/IDS vendors, including us, don't create signatures for each one of them. We are able to cover them using 200+ signatures which are generic in nature. IPS systems having intelligent application detection may cover many buffer overflow attacks using few signatures. For example, we see many HTTP URL, HTTP request header/response header field, SMTP/FTP/IMAP/NNTP command buffer overflow attacks. Many of them can be detected with few signatures without having to develop rules for each CVE. 2. Signature deletion to improve IPS/IDS performance. This is one of the reasons you could see some discrepancy between CVE IDs and signatures. Some vendors tend to delete very old signatures. Deciding which signatures to delete is a painful process. Some easier decisions are ones specific to executing the local applications via malformed java script of pages related to popular web sites. Once these web sites fix the issue, there is no need for these signatures. 3. Vulnerabilities which can only be exploited after authentication. Some vendors tend to give lower priority for these vulnerabilities. 4. Vulnerabilities related to services which are typically accessed by other machines within same network (within one administrative domain). Some examples are LDAP and RADIUS servers. These are typically accessed by other servers within the network, that is, these services are not exposed to wider network. Again some vendors tend to give lower priority for these vulnerabilities. 5. Client side attacks requiring deeper data inspection: For network IDS/IPS, it becomes very difficult to develop signatures (requiring deeper data inspection) which can detect without any false positives and negatives. File based attacks is one example, where when the file is opened, client application either crashes or malfunctions. Difficulty of signature development arise from different methods to get the files (email, http etc..) and encoding mechanisms used. Due to these difficulties, you might not see signatures for some of these attacks. (One example: CVE-2008-0105) 6. Lack of information on vulnerabilities: Yet times, you see some time difference between disclosure and signature due to this. Srini -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Ron Gula Sent: Thursday, May 29, 2008 11:36 AM To: Focus IDS Subject: Re: CVE selection for IDS/IPS signature rules Ravi Chunduru wrote: > Hi, > > There are over 30000 CVE vulnerability reports. Many IDS/IPS devices > have around 4000-5000 signature rules. My guess is that these > signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 > CVEs, that is, significant number of CVEs are not covered by IDS/IPS > devices. > > I am guessing that there is reason for this. IDS/IPS vendors may be > selecting few CVEs for developing signatures. What is the selection > criteria followed in industry? One criteria, I know is that Network > IDS/IPS devices don't need to worry about attacks that can only be > mounted on the local machine, that is, NIDS/NIPS devices only need to > worry about detection of attacks mounted remotely. Are there any other > considerations? > > Thanks > Ravi Hi Ravi, There are several reasons, probably more. Some NIDS vendors try to code for generic exploit vectors and not specific vulnerabilities. Some try to do both. Many of the CVEs not covered are for products that have come and gone, are very old, don't work over TCP/IP and so on. Some CVE entries focus on weak encryption and denial of service attacks which can be difficult to see with NIDS technology. Ron Gula Tenable Network Security http://www.nessus.org ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: CVE selection for IDS/IPS signature rules
by Ravi Chunduru
::
Rate this Message:
thank you all for responses.
There are some tools such as Karalon, Mu and others. i gather from different tests performed by network world and other certification agencies, these tools are used to test the effectiveness of IDS/IPS devices. if the criteria being followed is not complemented by these test tools, then there could be differences in the test results. I wonder what is the criteria of test case selection by these tool vendors and certification agencies. any comments? Ravi On Mon, Jun 2, 2008 at 11:33 AM, Srinivasa Addepalli <srao@...> wrote: > > You got very good answers from Ron. I try to give some specifics. > > 1. Generic signatures > > There are close to 10000 XSS and SQL injection vulnerabilities (based on > search in www.osvdb.org). Some IPS/IDS vendors, including us, don't create > signatures for each one of them. We are able to cover them using 200+ > signatures which are generic in nature. > > IPS systems having intelligent application detection may cover many buffer > overflow attacks using few signatures. For example, we see many HTTP URL, > HTTP request header/response header field, SMTP/FTP/IMAP/NNTP command buffer > overflow attacks. Many of them can be detected with few signatures without > having to develop rules for each CVE. > > 2. Signature deletion to improve IPS/IDS performance. This is one of the > reasons you could see some discrepancy between CVE IDs and signatures. > > Some vendors tend to delete very old signatures. Deciding which signatures > to delete is a painful process. Some easier decisions are ones specific to > executing the local applications via malformed java script of pages related > to popular web sites. Once these web sites fix the issue, there is no need > for these signatures. > > 3. Vulnerabilities which can only be exploited after authentication. Some > vendors tend to give lower priority for these vulnerabilities. > > 4. Vulnerabilities related to services which are typically accessed by other > machines within same network (within one administrative domain). Some > examples are LDAP and RADIUS servers. These are typically accessed by other > servers within the network, that is, these services are not exposed to wider > network. Again some vendors tend to give lower priority for these > vulnerabilities. > > 5. Client side attacks requiring deeper data inspection: For network > IDS/IPS, it becomes very difficult to develop signatures (requiring deeper > data inspection) which can detect without any false positives and negatives. > File based attacks is one example, where when the file is opened, client > application either crashes or malfunctions. Difficulty of signature > development arise from different methods to get the files (email, http > etc..) and encoding mechanisms used. Due to these difficulties, you might > not see signatures for some of these attacks. (One example: CVE-2008-0105) > > 6. Lack of information on vulnerabilities: Yet times, you see some time > difference between disclosure and signature due to this. > > Srini > > -----Original Message----- > From: listbounce@... [mailto:listbounce@...] On > Behalf Of Ron Gula > Sent: Thursday, May 29, 2008 11:36 AM > To: Focus IDS > Subject: Re: CVE selection for IDS/IPS signature rules > > Ravi Chunduru wrote: >> Hi, >> >> There are over 30000 CVE vulnerability reports. Many IDS/IPS devices >> have around 4000-5000 signature rules. My guess is that these >> signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 >> CVEs, that is, significant number of CVEs are not covered by IDS/IPS >> devices. >> >> I am guessing that there is reason for this. IDS/IPS vendors may be >> selecting few CVEs for developing signatures. What is the selection >> criteria followed in industry? One criteria, I know is that Network >> IDS/IPS devices don't need to worry about attacks that can only be >> mounted on the local machine, that is, NIDS/NIPS devices only need to >> worry about detection of attacks mounted remotely. Are there any other >> considerations? >> >> Thanks >> Ravi > > > Hi Ravi, > > There are several reasons, probably more. > > Some NIDS vendors try to code for generic exploit vectors and not > specific vulnerabilities. Some try to do both. > > Many of the CVEs not covered are for products that have come and > gone, are very old, don't work over TCP/IP and so on. > > Some CVE entries focus on weak encryption and denial of service > attacks which can be difficult to see with NIDS technology. > > Ron Gula > Tenable Network Security > http://www.nessus.org > > > > > > > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in > tro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: CVE selection for IDS/IPS signature rules
by Enigma-6
::
Rate this Message:
Ravi Chunduru wrote:
> Hi, > > There are over 30000 CVE vulnerability reports. Many IDS/IPS devices > have around 4000-5000 signature rules. My guess is that these > signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 > CVEs, that is, significant number of CVEs are not covered by IDS/IPS > devices. > > I am guessing that there is reason for this. IDS/IPS vendors may be > selecting few CVEs for developing signatures. What is the selection > criteria followed in industry? One criteria, I know is that Network > IDS/IPS devices don't need to worry about attacks that can only be > mounted on the local machine, that is, NIDS/NIPS devices only need to > worry about detection of attacks mounted remotely. Are there any other > considerations? > > Thanks > Ravi > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > 1. If you are talking about Network IDS/IPS, not all vulnerabilities are remotely exploitable. Some local vulnerabilities can only be detected by a HIDS if they can be detected at all. 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, so it covers any vulnerability where IDS/IPS are generally exploit-centric. How are you going to detect if a vulnerability is exploited if there is no publicly known exploit? How do you find something when you don't know what it looks like? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: CVE selection for IDS/IPS signature rules
by Leon Ward-2
::
Rate this Message:
A quick comment on the below point:
> 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, > so it covers any vulnerability where IDS/IPS are generally > exploit-centric. How are you going to detect if a vulnerability > is exploited if there is no publicly known exploit? How do you > find something when you don't know what it looks like? All leading IPS venders provide (or at least claim to provide) a vulnerability based detection capability. The *idea* behind this is simple. Model the protocol and all the required triggering conditions for the vulnerability to be exploited, and it doesn't matter what exploit-code is being used. <Disclaimer : I work for Sourcefire> Snort has had this capability for years. For those interested a VRT (Sourcefire's Vulnerability Research Team) white paper is available that details this process with examples. -Leon On 3 Jun 2008, at 18:43, Enigma wrote: > Ravi Chunduru wrote: >> Hi, >> >> There are over 30000 CVE vulnerability reports. Many IDS/IPS devices >> have around 4000-5000 signature rules. My guess is that these >> signatures may cover (detect)around 4000-7000 attacks. 23000 to >> 26000 >> CVEs, that is, significant number of CVEs are not covered by IDS/IPS >> devices. >> >> I am guessing that there is reason for this. IDS/IPS vendors may be >> selecting few CVEs for developing signatures. What is the selection >> criteria followed in industry? One criteria, I know is that Network >> IDS/IPS devices don't need to worry about attacks that can only be >> mounted on the local machine, that is, NIDS/NIPS devices only need >> to >> worry about detection of attacks mounted remotely. Are there any >> other >> considerations? >> >> Thanks >> Ravi >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it with real-world attacks >> from CORE IMPACT. >> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw >> to learn more. >> ------------------------------------------------------------------------ >> >> >> > Couple of things: > > 1. If you are talking about Network IDS/IPS, not all vulnerabilities > are remotely exploitable. Some local vulnerabilities can only > be detected by a HIDS if they can be detected at all. > 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, > so it covers any vulnerability where IDS/IPS are generally > exploit-centric. How are you going to detect if a vulnerability > is exploited if there is no publicly known exploit? How do you > find something when you don't know what it looks like? > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks > from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
RE: CVE selection for IDS/IPS signature rules
by dpat-2
::
Rate this Message:
Hi,
Let me add another complexity dimension in this topic. Few IDS/IPS vendors can correlate their vulnerability assessment tools with their IDP products (i.e. McAfee,IBM,Tenable,and a few others). None of them however, can link vulnerabilities with exploits and IDP signatures as well, which makes sense since IDP detects attacks (i.e. one or more vulnerabilities exploited in a predefined -not random- order) not plain vulnerabilities. The IDP community -to the best of my knowledge- is still missing a topological-aware mechanism to produce potential attacks based on real vulnerabilities found in systems/networks. To this extend, it is still virtually impossible to eliminate false positives in IDP (learning mode is a nightmare for those who tried, clearly not an option) while it's also extremely hard to eliminate false negatives in VA tools (it would be great if a tool could base verdict upon partially discovered signs of attacks). What seems of interest and what I've been working on this for the last couple of years is to integrate post-incident capabilities (e.g. info from SIEMs) along with vulnerability scoring (like Mitre's CVSS) into IDP/VA tools. This would allow for quite flexible configuration scenarios in IDP, since vulnerabilities are discovered (VA tool) and (semi)automatically scored (CVSS), verified (SIEM information) while a smaller set of signatures (IDP) can detect and block attacks since they can break the predefined order of vulnerability exploit. In other words, such a view could allow for policies based on attack paths and not underlying OS, network topology, collision domains, groups or VLANs. Thanks a lot, Dimitrios Patsos, Ph.D.(Cand),M.Sc.,CCSE,CCDA,CCSP,CME -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Enigma Sent: Tuesday, June 03, 2008 8:44 PM To: Ravi Chunduru Cc: Focus IDS Subject: Re: CVE selection for IDS/IPS signature rules Ravi Chunduru wrote: > Hi, > > There are over 30000 CVE vulnerability reports. Many IDS/IPS devices > have around 4000-5000 signature rules. My guess is that these > signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 > CVEs, that is, significant number of CVEs are not covered by IDS/IPS > devices. > > I am guessing that there is reason for this. IDS/IPS vendors may be > selecting few CVEs for developing signatures. What is the selection > criteria followed in industry? One criteria, I know is that Network > IDS/IPS devices don't need to worry about attacks that can only be > mounted on the local machine, that is, NIDS/NIPS devices only need to > worry about detection of attacks mounted remotely. Are there any other > considerations? > > Thanks > Ravi > > > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > Couple of things: 1. If you are talking about Network IDS/IPS, not all vulnerabilities are remotely exploitable. Some local vulnerabilities can only be detected by a HIDS if they can be detected at all. 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, so it covers any vulnerability where IDS/IPS are generally exploit-centric. How are you going to detect if a vulnerability is exploited if there is no publicly known exploit? How do you find something when you don't know what it looks like? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: CVE selection for IDS/IPS signature rules
by Enigma-6
::
Rate this Message:
Leon Ward wrote:
> A quick comment on the below point: > >> 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, >> so it covers any vulnerability where IDS/IPS are generally >> exploit-centric. How are you going to detect if a vulnerability >> is exploited if there is no publicly known exploit? How do you >> find something when you don't know what it looks like? > > All leading IPS venders provide (or at least claim to provide) a > vulnerability based detection capability. > The *idea* behind this is simple. Model the protocol and all the > required triggering conditions for the vulnerability to be exploited, > and it doesn't matter what exploit-code is being used. > > <Disclaimer : I work for Sourcefire> > > Snort has had this capability for years. For those interested a VRT > (Sourcefire's Vulnerability Research Team) white paper is available > that details this process with examples. > > -Leon > > > On 3 Jun 2008, at 18:43, Enigma wrote: > >> Ravi Chunduru wrote: >>> Hi, >>> >>> There are over 30000 CVE vulnerability reports. Many IDS/IPS devices >>> have around 4000-5000 signature rules. My guess is that these >>> signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 >>> CVEs, that is, significant number of CVEs are not covered by IDS/IPS >>> devices. >>> >>> I am guessing that there is reason for this. IDS/IPS vendors may be >>> selecting few CVEs for developing signatures. What is the selection >>> criteria followed in industry? One criteria, I know is that Network >>> IDS/IPS devices don't need to worry about attacks that can only be >>> mounted on the local machine, that is, NIDS/NIPS devices only need to >>> worry about detection of attacks mounted remotely. Are there any other >>> considerations? >>> >>> Thanks >>> Ravi >>> >>> ------------------------------------------------------------------------ >>> >>> Test Your IDS >>> >>> Is your IDS deployed correctly? >>> Find out quickly and easily by testing it with real-world attacks >>> from CORE IMPACT. >>> Go to >>> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to >>> learn more. >>> ------------------------------------------------------------------------ >>> >>> >>> >>> >> Couple of things: >> >> 1. If you are talking about Network IDS/IPS, not all vulnerabilities >> are remotely exploitable. Some local vulnerabilities can only >> be detected by a HIDS if they can be detected at all. >> 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, >> so it covers any vulnerability where IDS/IPS are generally >> exploit-centric. How are you going to detect if a vulnerability >> is exploited if there is no publicly known exploit? How do you >> find something when you don't know what it looks like? >> >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it with real-world attacks >> from CORE IMPACT. >> Go to >> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to >> learn more. >> ------------------------------------------------------------------------ >> >> > > and I use the VRT sigs all the time) but I have found these type of signatures to have the highest rate of false positives. Don't get me wrong, these are useful when there isn't anything else but signatures developed from public or at least seen-in-the-wild exploits are much more accurate. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: CVE selection for IDS/IPS signature rules
by Jose Nazario
::
Rate this Message:
an earlier comment from ron gula touched on how some vulns are remote etc.
as of a few days ago, here's some quick numbers around the "range" element (where the attack can be mounted from) from the NVD, which annotates CVE entries. note that some attacks can have multipe range attributes. nvd=# SELECT range_type, count(range_type) from range group by range_type; range_type | count ---------------+------- local | 5368 remote | 19697 user_init | 3121 network | 6929 local_network | 114 (5 rows) data from http://nvd.nist.gov/, imported into a local SQL database for use. ________ jose nazario, ph.d. http://monkey.org/~jose/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: CVE selection for IDS/IPS signature rules
by Joel Esler-3
::
Rate this Message:
On Jun 3, 2008, at 3:00 PM, Enigma wrote: > This is a little off topic. Not knocking Sourcefire or VRT (3D is > great and I use the VRT sigs all the time) but I have found these > type of signatures to have the highest rate of false positives. > Don't get me wrong, these are useful when there isn't anything else > but signatures developed from public or at least seen-in-the-wild > exploits are much more accurate. I know that Sourcefire has a great false positive reporting method for rules. Pcap's are needed. -- Joel Esler joel.esler@... http://blog.joelesler.net [m] ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
| Free Forum Powered by Nabble | Forum Help |