[Discussion] Why IDS sucks
Matt Jonkman
jonkman at jonkmans.com
Fri Oct 17 14:25:38 UTC 2008
Oh ya, I remember this work. I didn't ever test it myself. How has is
fared in production?
Matt
Andre Ludwig wrote:
> Thanks to the work of Scott at nersc.gov there is a snort preproccessor
> that handles the DNS cache poisoning as well as FastFlux.
>
> http://www.nersc.gov/~scottc/software/snort/index.html
>
> Andre Ludwig
>
> David Glosser wrote:
>> I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
>> from legit sites such as amazon or cnn.....
>>
>> On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
>> <thorsten.holz at informatik.uni-mannheim.de> wrote:
>>
>>> On 17.10.2008, at 01:56, David Glosser wrote:
>>>
>>>
>>>> Matt, this begs for a wiki or something once you gather enough
>>>> information.
>>>>
>>> Yes, a wiki would perhaps help to structure the information.
>>>
>>>
>>>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>>>> -ways to get alerts for fast-flux and other things where current sigs
>>>> are prone to FPs
>>>>
>>> Just out of curiosity: what techniques do you use to detect fast-flux
>>> domains? And doesn't a whitelist help or do you see so many legitimate
>>> domains that look like fast-flux?
>>>
>>> Cheers,
>>> Thorsten
>>>
>>>
>>>
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>
>>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list