[Discussion] Why IDS sucks

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17.10.2008, at 01:56, David Glosser wrote:

> Matt, this begs for a wiki or something once you gather enough  
> information.

Yes, a wiki would perhaps help to structure the information.

> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
> -ways to get alerts for fast-flux and other things where current sigs
> are prone to FPs

Just out of curiosity: what techniques do you use to detect fast-flux  
domains? And doesn't a whitelist help or do you see so many  
legitimate domains that look like fast-flux?

Cheers,
   Thorsten

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]