[Discussion] Why IDS sucks

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Initially there were a few memory leaks and core dumps, but they all got 
resolved.  As for hard production use i have not heard anything negative 
yet.  I am going to assume that is because we lack the proper marketing 
merits to get it out to enough people to test.  (it worked during my 
quick testing)

Andre

Matt Jonkman wrote:
> Oh ya, I remember this work. I didn't ever test it myself. How has is
> fared in production?
>
> Matt
>
> Andre Ludwig wrote:
>   
>> Thanks to the work of Scott at nersc.gov there is a snort preproccessor 
>> that handles the DNS cache poisoning as well as FastFlux.
>>
>> http://www.nersc.gov/~scottc/software/snort/index.html
>>
>> Andre Ludwig
>>
>> David Glosser wrote:
>>     
>>> I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
>>> from legit sites such as amazon or cnn.....
>>>
>>> On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
>>> <thorsten.holz at informatik.uni-mannheim.de> wrote:
>>>   
>>>       
>>>> On 17.10.2008, at 01:56, David Glosser wrote:
>>>>
>>>>     
>>>>         
>>>>> Matt, this begs for a wiki or something once you gather enough
>>>>> information.
>>>>>       
>>>>>           
>>>> Yes, a wiki would perhaps help to structure the information.
>>>>
>>>>     
>>>>         
>>>>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>>>>> -ways to get alerts for fast-flux and other things where current sigs
>>>>> are prone to FPs
>>>>>       
>>>>>           
>>>> Just out of curiosity: what techniques do you use to detect fast-flux
>>>> domains? And doesn't a whitelist help or do you see so many legitimate
>>>> domains that look like fast-flux?
>>>>
>>>> Cheers,
>>>>  Thorsten
>>>>
>>>>
>>>>     
>>>>         
>>> _______________________________________________
>>> Discussion mailing list
>>> Discussion at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>>
>>>   
>>>       
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>     
>
>   

• Previous message (by thread): [Discussion] Why IDS sucks
• Next message (by thread): [Discussion] Why IDS sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]