[Discussion] Why IDS sucks

Andre Ludwig aludwig at packetspy.com
Fri Oct 17 14:31:15 UTC 2008


Initially there were a few memory leaks and core dumps, but they all got 
resolved.  As for hard production use i have not heard anything negative 
yet.  I am going to assume that is because we lack the proper marketing 
merits to get it out to enough people to test.  (it worked during my 
quick testing)

Andre

Matt Jonkman wrote:
> Oh ya, I remember this work. I didn't ever test it myself. How has is
> fared in production?
>
> Matt
>
> Andre Ludwig wrote:
>   
>> Thanks to the work of Scott at nersc.gov there is a snort preproccessor 
>> that handles the DNS cache poisoning as well as FastFlux.
>>
>> http://www.nersc.gov/~scottc/software/snort/index.html
>>
>> Andre Ludwig
>>
>> David Glosser wrote:
>>     
>>> I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
>>> from legit sites such as amazon or cnn.....
>>>
>>> On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
>>> <thorsten.holz at informatik.uni-mannheim.de> wrote:
>>>   
>>>       
>>>> On 17.10.2008, at 01:56, David Glosser wrote:
>>>>
>>>>     
>>>>         
>>>>> Matt, this begs for a wiki or something once you gather enough
>>>>> information.
>>>>>       
>>>>>           
>>>> Yes, a wiki would perhaps help to structure the information.
>>>>
>>>>     
>>>>         
>>>>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>>>>> -ways to get alerts for fast-flux and other things where current sigs
>>>>> are prone to FPs
>>>>>       
>>>>>           
>>>> Just out of curiosity: what techniques do you use to detect fast-flux
>>>> domains? And doesn't a whitelist help or do you see so many legitimate
>>>> domains that look like fast-flux?
>>>>
>>>> Cheers,
>>>>  Thorsten
>>>>
>>>>
>>>>     
>>>>         
>>> _______________________________________________
>>> Discussion mailing list
>>> Discussion at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>>
>>>   
>>>       
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>     
>
>   




More information about the Discussion mailing list