[Discussion] Why IDS sucks

Andre Ludwig aludwig at packetspy.com
Fri Oct 17 14:24:26 UTC 2008


Thanks to the work of Scott at nersc.gov there is a snort preproccessor 
that handles the DNS cache poisoning as well as FastFlux.

http://www.nersc.gov/~scottc/software/snort/index.html

Andre Ludwig

David Glosser wrote:
> I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
> from legit sites such as amazon or cnn.....
>
> On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
> <thorsten.holz at informatik.uni-mannheim.de> wrote:
>   
>> On 17.10.2008, at 01:56, David Glosser wrote:
>>
>>     
>>> Matt, this begs for a wiki or something once you gather enough
>>> information.
>>>       
>> Yes, a wiki would perhaps help to structure the information.
>>
>>     
>>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>>> -ways to get alerts for fast-flux and other things where current sigs
>>> are prone to FPs
>>>       
>> Just out of curiosity: what techniques do you use to detect fast-flux
>> domains? And doesn't a whitelist help or do you see so many legitimate
>> domains that look like fast-flux?
>>
>> Cheers,
>>  Thorsten
>>
>>
>>     
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>   




More information about the Discussion mailing list