[Discussion] Why IDS sucks

Andre Ludwig aludwig at packetspy.com
Fri Oct 17 14:51:54 UTC 2008


Feel free to send any feedback to scott (email at the link i sent out), 
or to me (ill send it to Scott).

Andre Ludwig

Jeremy wrote:
> I too did limited lab testing with this DNS preproc and have had no
> real issues with it.  I have planned to move this from the lab in the
> next few weeks to test on some real traffic, so I hope to have better
> feedback real soon.
>
> --jeremy
>
> On Fri, Oct 17, 2008 at 9:31 AM, Andre Ludwig <aludwig at packetspy.com> wrote:
>   
>> Initially there were a few memory leaks and core dumps, but they all got
>> resolved.  As for hard production use i have not heard anything negative
>> yet.  I am going to assume that is because we lack the proper marketing
>> merits to get it out to enough people to test.  (it worked during my
>> quick testing)
>>
>> Andre
>>
>> Matt Jonkman wrote:
>>     
>>> Oh ya, I remember this work. I didn't ever test it myself. How has is
>>> fared in production?
>>>
>>> Matt
>>>
>>> Andre Ludwig wrote:
>>>
>>>       
>>>> Thanks to the work of Scott at nersc.gov there is a snort preproccessor
>>>> that handles the DNS cache poisoning as well as FastFlux.
>>>>
>>>> http://www.nersc.gov/~scottc/software/snort/index.html
>>>>
>>>> Andre Ludwig
>>>>
>>>> David Glosser wrote:
>>>>
>>>>         
>>>>> I believe Matt tested some Fast-Flux sigs, but they were prone to FPs
>>>>> from legit sites such as amazon or cnn.....
>>>>>
>>>>> On Fri, Oct 17, 2008 at 8:09 AM, Thorsten Holz
>>>>> <thorsten.holz at informatik.uni-mannheim.de> wrote:
>>>>>
>>>>>
>>>>>           
>>>>>> On 17.10.2008, at 01:56, David Glosser wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> Matt, this begs for a wiki or something once you gather enough
>>>>>>> information.
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Yes, a wiki would perhaps help to structure the information.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>>>> -I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
>>>>>>> -ways to get alerts for fast-flux and other things where current sigs
>>>>>>> are prone to FPs
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>>> Just out of curiosity: what techniques do you use to detect fast-flux
>>>>>> domains? And doesn't a whitelist help or do you see so many legitimate
>>>>>> domains that look like fast-flux?
>>>>>>
>>>>>> Cheers,
>>>>>>  Thorsten
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>> _______________________________________________
>>>>> Discussion mailing list
>>>>> Discussion at openinfosecfoundation.org
>>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>>>>
>>>>>
>>>>>
>>>>>           
>>>> _______________________________________________
>>>> Discussion mailing list
>>>> Discussion at openinfosecfoundation.org
>>>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>>>
>>>>         
>>>       
>> _______________________________________________
>> Discussion mailing list
>> Discussion at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>>
>>     
>
>   




More information about the Discussion mailing list