[Snort-users] New Trend: Intrusion Prevention

Chris Eidem ceidem at ...5503...
Fri Dec 13 13:29:03 EST 2002


> -----Original Message-----
> From: twig les [mailto:twigles at ...131...]
> Sent: Friday, December 13, 2002 2:27 PM
> To: Ibarra, Michael; 'Sheahan, Paul (PCLN-NW)'; Snort List (E-mail)
> Subject: RE: [Snort-users] New Trend: Intrusion Prevention
> 
> 
> I've seen a few of these for a couple years now, but
> generally I run into the host-based ones.  Eeye makes
> one for that retarded MS web server here:
> http://www.eeye.com/html/Products/SecureIIS/index.html
> 
> I believe it intercepts kernel calls and blocks/passes
> them, kinda playing middleman.  Not sure though. 
> Looks neat, but I don't see any silver bullet here
> either; not unless you want to slap this type of thing
> on your 500-5000 XP workstations too.

my retarded servers have enough trouble with their IIS miscommunicating
with the kernal as it is.  i really don't want add another layer that
could muck things up even more...

my basic thought is this (IPS - that is) is too dangerous right now for
this to be used in a production network.  the DOS potential against a
system is way too high and you would have to 10000 rules to make sure
that you have the right signature before you start blocking connections
accurately.

locking the doors and checking the windows is difficult enough without
having to go out onto the sidewalk and chase any 'shady' looking person
from your yard.

 - chris




More information about the Snort-users mailing list