[Discussion] Why IDS sucks

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
from legit sites such as amazon or cnn.....

On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
<thorsten.holz at informatik.uni-mannheim.de> wrote:
> On 17.10.2008, at 01:56, David Glosser wrote:
>
>> Matt, this begs for a wiki or something once you gather enough
>> information.
>
> Yes, a wiki would perhaps help to structure the information.
>
>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>> -ways to get alerts for fast-flux and other things where current sigs
>> are prone to FPs
>
> Just out of curiosity: what techniques do you use to detect fast-flux
> domains? And doesn't a whitelist help or do you see so many legitimate
> domains that look like fast-flux?
>
> Cheers,
>  Thorsten
>
>

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]