My comments in the text below.

Stefano Zanero wrote:
>> "A false positive is an alert that triggers on normal traffic where no
>> intrusion or attack is underway"
>>
>
> That's a good definition, but not really complete. Under that
> definition, if you place a rule that flags IRC connections,

[ more ]  [ reply ]

>> Is it a false positive a case where there is no rule, or the traffic
>> does not match with the rule, and the engine still fires?

> This does not fit with the above definition since the alert must be
> triggered by the traffic.

You would be surprised in knowing that this is the only case where

[ more ]  [ reply ]

Hi,

I think this can cause some information leaking for companies, where the admin does not understand the content of a sniffer file and/or sensibility of the sniffed traffic is underestimated. What will happen with the uploaded files?
Anyway home users can have huge advantages of that tool, if the

[ more ]  [ reply ]

I would like to announce the www.allthreats.com.

Allthreats is a free online network traffic analyzer. This system is
able to analyze a pcap file with several tools: IDS (only Snort at the
moment [Sourcefire VRT and Emerging Threats signatures], Iâ??ll integrate
Bro IDS soon), Honeysnap (from honey

[ more ]  [ reply ]

Hi,

I am looking at the following Net Optics Bypass switch.

http://netoptics.com/products/product_family_details.asp?cid=8&pid=214&S
ection=products&menuitem=8&tag=NetOptics+iBypass+Bypass

My initial understanding was that the Bypass switch will actually maintain link state with inline device,

[ more ]  [ reply ]

Hi,

Coming late into this conversation, but what about using statistical learning filtering instead of an expert system? We have done it using an anomaly detection algorithm we have developed:

http://eprints.sics.se/3591/

(link to paper https://daisy.dsv.su.se/fil/visa?id=24833)

/Tomas

[ more ]  [ reply ]