[Discussion] Why IDS sucks
Matt Jonkman
jonkman at jonkmans.com
Fri Oct 17 14:25:05 UTC 2008
David Glosser wrote:
> I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
> from legit sites such as amazon or cnn.....
Ya, we tried some things for low ttl dns, but it's used in legit apps
too often.
Only real way I see to effectively go after fast flux might be dns
blacklisting. Most of them last for more than days, so blacklisting is
relatively effective is we can keep effective sandnetting and intel
gathering going. (Which is what we're trying to do at emerging threats
for the long term)
>>> Matt, this begs for a wiki or something once you gather enough
>>> information.
>> Yes, a wiki would perhaps help to structure the information.
Absolutely. I'm making some space in the ET wiki, details soon.
Matt
>>
>>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>>> -ways to get alerts for fast-flux and other things where current sigs
>>> are prone to FPs
>> Just out of curiosity: what techniques do you use to detect fast-flux
>> domains? And doesn't a whitelist help or do you see so many legitimate
>> domains that look like fast-flux?
>>
>> Cheers,
>> Thorsten
>>
>>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list