<div dir="ltr">Agreed! There's also the point that scanning clients' egress traffic can indicate whether a malware infection was successful or not. Customers don't care much about attacks, they care about compromises, and while being aware of unsuccessful attacks is important to us so that we can warn others, it's not the top priority. <br>
<br>--Martin<br><br><div class="gmail_quote">On Fri, Oct 17, 2008 at 2:44 PM, Rob, grandpa of Ryan, Trevor, Devon & Hannah <span dir="ltr"><<a href="mailto:rMslade@shaw.ca">rMslade@shaw.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Date sent: Thu, 16 Oct 2008 21:00:32 -0400<br>
From: Matt Jonkman <<a href="mailto:jonkman@jonkmans.com">jonkman@jonkmans.com</a>><br>
<br>
> Here's the big thread. And don't be afraid to start sub-threads for<br>
> specifics here.<br>
<br>
OK :-)<br>
<br>
> OK, those are my initial wish list items. Who has more? What else should<br>
> we do?<br>
<br>
Allow me to throw in a strong push for including egress scanning and analysis. We<br>
tend to get fixated on the traditional bastion position, with the bad guys all on the<br>
outside and everything inside is pure. In the current malware-rich environment<br>
that is untenable. We also can gain a lot more granular information (in addition<br>
to the defence-in-depth backstop) from egress scanning, since we have a much<br>
batter idea of what *should* be leaving our nets.<br>
<br>
====================== (quote inserted randomly by Pegasus Mailer)<br>
<a href="mailto:rslade@vcn.bc.ca">rslade@vcn.bc.ca</a> <a href="mailto:slade@victoria.tc.ca">slade@victoria.tc.ca</a> <a href="mailto:rslade@computercrime.org">rslade@computercrime.org</a><br>
I appreciate the fact that this draft was done in haste, but<br>
some of the sentences that you are sending out in the world to<br>
do your work for you are loitering in taverns or asleep beside<br>
the highway.<br>
-- Dr. Dwight Van de Vate, Professor of Philosophy,<br>
University of Tennessee at Knoxville<br>
<a href="http://victoria.tc.ca/techrev/rms.htm" target="_blank">victoria.tc.ca/techrev/rms.htm</a> <a href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">blogs.securiteam.com/index.php/archives/author/p1/</a><br>
_______________________________________________<br>
Discussion mailing list<br>
<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
</blockquote></div><br></div>