[Snort-users] [Emerging-Sigs] Reliability of signatures

Matt Olney molney at ...1935...
Fri Feb 11 10:08:12 EST 2011


The key here is that network IDS is low-latency.  There are solutions for
SPAM that are established and proven.  I'll let them do their jobs, because
they can take their time to parse the email, consult spamhaus, etc...  There
is not a better solution for detecting the delivery of exploits, that is the
job of an IDS.  SPAM can lead you to an attack, or to a longer *****, but it
isn't, in itself an attack.

I agree there is a ton of metadata on the network that is incredibly useful
both for correlation and forensics (see intel nuggets on Razorback).  But
again, that is parsing known protocols that are well formed.  Easy at speed.

On Fri, Feb 11, 2011 at 9:55 AM, Seth Hall <seth at ...14966...> wrote:

>
> On Feb 10, 2011, at 9:55 AM, Matt Olney wrote:
>
> > Also, SPAM isn't an IDS issue, at least from my point of view.  I worry
> about malicious, not asinine.
>
> Ouch, seriously?  In my opinion, if it goes over the network it's an IDS
> issue.  Sometimes it's incredible how many little, seemingly inconsequential
> bits of information will add up over time to mean something much different
> and much more important.  Maybe the remote IP address sending spam doesn't
> mean much for an incident response team by itself, but if that IP address
> logs into some local box over SSH that would be worth looking into.
>
>  .Seth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110211/05e3ff4f/attachment.html>


More information about the Snort-users mailing list