[Snort-users] Error trapping signatures ...

Jon Baer security at ...9153...
Sun Jun 22 11:14:05 EDT 2003


actually seems to be an old idea ...

http://www.phrack.org/phrack/56/p56-0x0b

its 3 years old but makes alot of good points ...

-snip-
An IDS which implements a strict anomaly detection model can never enter a
false-positive state, i.e. can never generate a false alarm, because
activity
which occurs outside the definition of "use", by definition, has security
relevance.
-snip-

i think it makes sense to wrap these type of sigs around apps like mysql for
example once its in production but does anyone here on the list actually
deploy these type of techniques w/ success?

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


----- Original Message ----- 
From: "Erek Adams" <erek at ...950...>
To: "Jon Baer" <security at ...9153...>>
> Basically, once you have a "known" network, it doesn't take much to get a
> set of rules when you see "something that shouldn't be happening".  A nice
> benefit of this is that once this is setup, any changes that are made to
> the network (rouge server) become pretty obvious.





More information about the Snort-users mailing list