Focus on IDS
IDS causing troubles Feb 01 2011 09:53AM
Shang Tsung (shangtsung71 gmail com) (9 replies)
Re: IDS causing troubles Feb 03 2011 10:32AM
Udo Sprotte (Udo Sprotte t-online de)
Re: IDS causing troubles Feb 02 2011 10:59PM
Paul Palmer (b paul palmer gmail com)
RE: IDS causing troubles Feb 02 2011 06:33AM
alex cc technion ac il
RE: IDS causing troubles Feb 02 2011 04:06AM
Alex Nepolian cognizant com
Re: IDS causing troubles Feb 02 2011 12:04AM
Antônio Arruda Neto (anetoarruda gmail com)
Re: IDS causing troubles Feb 01 2011 09:41PM
Jeff Ames (jeffames nemesissolutions co uk)
Re: IDS causing troubles Feb 01 2011 08:50PM
Shwetabh Sharma (shwetabhsharma gmail com) (1 replies)
RE: IDS causing troubles Feb 04 2011 06:35AM
IT_H_Security (IT_H_Security MahindraSatyamBPO com)
Re: IDS causing troubles Feb 01 2011 08:48PM
JiPi DiNi (jipidini gmail com)
RE: IDS causing troubles Feb 01 2011 08:26PM
Andrew Plato (andrew plato anitian com) (1 replies)
Re: IDS causing troubles Feb 11 2011 07:41AM
Joel Jaeggli (joelja bogus com) (2 replies)
RE: IDS causing troubles Feb 12 2011 06:39PM
Bob-Buel (bob buel org) (1 replies)
SV: IDS causing troubles Feb 15 2011 07:39AM
Anders Petrén (anders certezza net)
RE: IDS causing troubles Feb 11 2011 06:23PM
Matthew Fitzgerald (matthew fitzgerald cae com) (2 replies)
Re: IDS causing troubles Feb 14 2011 05:21PM
Curt Purdy (infosysec gmail com)
Re: IDS causing troubles Feb 11 2011 07:14PM
Joel Jaeggli (joelja bogus com) (2 replies)
Re: IDS causing troubles Feb 15 2011 03:23PM
Joel Esler (joel esler me com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:21PM
Curt Purdy (infosysec gmail com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:28PM
Joel Esler (joel esler me com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:49PM
Curt Purdy (infosysec gmail com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:51PM
Joel Esler (joel esler me com)
On Feb 18, 2011, at 9:49 AM, Curt Purdy wrote:

> Did not realize you were with Sourcefire Joel, would not have been so
> 'harsh' in my comments. Give my regards to Martin.
>
It's not a problem, don't take it like that, I just view it as important to education those that may not be aware of the terminology that is in play.

> FWIW, it was Snort that forced me to create the world's first SIM in
> 2000, when I could not stand the false positives, and decided to put
> all my servers in the top 128 of a class A and nothing but honeypots
> in the bottom 128 and only monitor it. Every time I got an alert, I
> knew I had bagged a cracker.

This is STILL an effective method against scanners and scripts. However, unfortunately, most of the attacks have turned client side now, and the game has changed.

Joel

>
> Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
> infosysec (at) gmail (dot) com [email concealed]
> purdy (at) tecman (dot) com [email concealed]
>
>
>
> On Fri, Feb 18, 2011 at 9:28 AM, Joel Esler <joel.esler (at) me (dot) com [email concealed]> wrote:
>> Fair enough, (and I doubt I'm too young), however, back then, there was no difference. There is now.
>>
>> When ISS RealSecure first starting coming out with the technology of sending RST packets, I remember people called it IPS back then too. When tools that auto-blocked at firewalls started coming out, they called it IPS, when IPS without a failopen came along, people called it an IPS. However, if we look at the landscape now, I argue that it's different and we wouldn't call IPS the same thing anymore. Which is why I didn't.
>>
>> I think it's important to understand not only where we've been, but where we are, and where we are going. I work in the IPS industry (Sourcefire) as I am sure many others on this list do as well, and it's important (at least to me) that people understand the distinction. I get the reaction all the time that "IPS doesn't work, because all it does is send RST packets", which in fact IPS is now a very mature technology.
>>
>> I think it's important to understand the difference in the technologies. Not everyone on the list has "been there and done that". The beauty part about a list like this is it brings the seasoned and the new together in a common environment where the above can be discussed.
>>
>> Joel
>>
>> On Feb 18, 2011, at 9:21 AM, Curt Purdy wrote:
>>
>>> If this were a literary list, we could argue semantics till the cows
>>> come home Joel. But being an information security list let's stick to
>>> technology. You may be too young to remember the very first Intrusion
>>> 'Protection' System that was not in-line at all. It was simply an IDS
>>> that added ACLs to the firewall to block the grievous party. Everyone
>>> accepted the developer's term 'IPS'.
>>>
>>> Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
>>> infosysec (at) gmail (dot) com [email concealed]
>>> purdy (at) tecman (dot) com [email concealed]

--
Joel Esler
http://www.joelesler.net

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
Re: IDS causing troubles Feb 14 2011 06:28PM
JiPi DiNi (jipidini gmail com) (1 replies)
Re: IDS causing troubles Feb 15 2011 03:25PM
Joel Esler (joel esler me com) (2 replies)
Re: IDS causing troubles Feb 19 2011 03:47AM
Ichilov (zivi radware com)
RE: IDS causing troubles Feb 15 2011 04:08PM
Matthew Fitzgerald (matthew fitzgerald cae com)


 

Privacy Statement
Copyright 2010, SecurityFocus