[Discussion] Why IDS sucks
David Glosser
david.glosser at gmail.com
Fri Oct 17 14:17:46 UTC 2008
I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
from legit sites such as amazon or cnn.....
On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
<thorsten.holz at informatik.uni-mannheim.de> wrote:
> On 17.10.2008, at 01:56, David Glosser wrote:
>
>> Matt, this begs for a wiki or something once you gather enough
>> information.
>
> Yes, a wiki would perhaps help to structure the information.
>
>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>> -ways to get alerts for fast-flux and other things where current sigs
>> are prone to FPs
>
> Just out of curiosity: what techniques do you use to detect fast-flux
> domains? And doesn't a whitelist help or do you see so many legitimate
> domains that look like fast-flux?
>
> Cheers,
> Thorsten
>
>
More information about the Discussion
mailing list