[Discussion] Why IDS sucks
Jeremy
jeremy at sudosecure.net
Fri Oct 17 14:43:08 UTC 2008
I too did limited lab testing with this DNS preproc and have had no
real issues with it. I have planned to move this from the lab in the
next few weeks to test on some real traffic, so I hope to have better
feedback real soon.
--jeremy
On Fri, Oct 17, 2008 at 9:31 AM, Andre Ludwig <aludwig at packetspy.com> wrote:
> Initially there were a few memory leaks and core dumps, but they all got
> resolved. As for hard production use i have not heard anything negative
> yet. I am going to assume that is because we lack the proper marketing
> merits to get it out to enough people to test. (it worked during my
> quick testing)
>
> Andre
>
> Matt Jonkman wrote:
>> Oh ya, I remember this work. I didn't ever test it myself. How has is
>> fared in production?
>>
>> Matt
>>
>> Andre Ludwig wrote:
>>
>>> Thanks to the work of Scott at nersc.gov there is a snort preproccessor
>>> that handles the DNS cache poisoning as well as FastFlux.
>>>
>>> http://www.nersc.gov/~scottc/software/snort/index.html
>>>
>>> Andre Ludwig
>>>
>>> David Glosser wrote:
>>>
>>>> I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
>>>> from legit sites such as amazon or cnn.....
>>>>
>>>> On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
>>>> <thorsten.holz at informatik.uni-mannheim.de> wrote:
>>>>
>>>>
>>>>> On 17.10.2008, at 01:56, David Glosser wrote:
>>>>>
>>>>>
>>>>>
>>>>>> Matt, this begs for a wiki or something once you gather enough
>>>>>> information.
>>>>>>
>>>>>>
>>>>> Yes, a wiki would perhaps help to structure the information.
>>>>>
>>>>>
>>>>>
>>>>>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>>>>>> -ways to get alerts for fast-flux and other things where current sigs
>>>>>> are prone to FPs
>>>>>>
>>>>>>
>>>>> Just out of curiosity: what techniques do you use to detect fast-flux
>>>>> domains? And doesn't a whitelist help or do you see so many legitimate
>>>>> domains that look like fast-flux?
>>>>>
>>>>> Cheers,
>>>>> Thorsten
>>>>>
>>>>>
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Discussion mailing list
>>>> Discussion at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> Discussion mailing list
>>> Discussion at openinfosecfoundation.org
>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>>
>>
>>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
More information about the Discussion
mailing list