[Snort-users] New Trend: Intrusion Prevention

Alberto Gonzalez albertg at ...7149...
Fri Dec 13 12:57:02 EST 2002


Why would you want to use an IPS to stop a SYN|FIN sweep? Portscans are 
the same ol thing
nowadays. Not like in the past few years where new techniques would keep 
getting released.
Your IPS software(appliance) should be tuned to defend against attacks 
not mere probes at your
network. Heck there methods to trick nmap out there. I think if 
intrusion prevention is going to get
anywhere, it needs to just concentrate on attacks, you don't want to 
overwhelm it. Or is it just me
that hasn't seen anything interesting in a portscan in the last oh say year?

These are my opinions, I would love to hear others but lets keep it 
off-list..

Cheers!

    - Alberto

Bob Dehnhardt wrote:

>Everything I've seen about IPS is that it's intended as another facet of
>security, not as a replacement for IDS. IPS is useful for preventing attacks
>that can be identified with a high (99%+) degree of accuracy, like SYN/FIN
>sweeps. Attacks that may have a significant number of false positives are
>outside IPS's realm, since having that traffic dropped would likely affect
>normal network operations. IDS with a real live decision-making person will
>be used in those cases, just as today.
>
>There is no single solution, probably never will be.
>
> - Bob
>
>Bob Dehnhardt
>IT Operations Manager - Reno
>TriNet
>(775) 327-6407
>
> -----Original Message-----
>From: 	Steve Halligan [mailto:giermo at ...187...] 
>Sent:	Friday, December 13, 2002 10:16 AM
>To:	'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail)
>Subject:	RE: [Snort-users] New Trend: Intrusion Prevention
>
>  
>
>>I attended Infosecurity 2002 yesterday and there was much talk about
>>intrusion detection going away, and intrusion prevention 
>>replacing it. Does
>>anyone know if there are any plans to include intrusion prevention
>>functionality into Snort in the future?
>>    
>>
>
>The future is now.
>
>http://www.snort.org/dl/contrib/patches/inline/
>
>Also see Hogwash at:
>http://www.snort.org/dl/contrib/patches/hogwash/
>
>Now one could (and I would) debate the premise that you stated, but that is
>a whole 'nother can of worms.
>
>-steve
>
>
>
>  
>

-- 
The secret to success is to start from scratch and keep on scratching.






More information about the Snort-users mailing list