Claims don't really mean much to me. After going through the song and
dance sales pitch of most IPS vendors that claim serious protection
but instead only offer a false sense of security I am a bit jaded.
False negatives in Tipping Point are as plentiful as beer in Germany.
You want an example? Take a jpeg and somewhere in it embed an
offending guid from ms03-026 or ms03-039. Copy this jpeg between two
windows machines over file sharing. Viola, tipping point just fired
the sig over the the pic being copied.
If they had real protocol parsing this would not be possible.
On Sat, 18 Sep 2004 10:28:58 -0400, idswizard@earthlink.net
<idswizard@earthlink.net> wrote:
Only way to do this and not create tons of false postives is true protocol
parsing. This knocks out most IPS vendors like Tipping Point.
That is an interesting statement. Tipping Point claims to only have one
customer experience a false positive and it was based on Chat traffic.
During a SANS webcast, Los Alamos National Laboratory seemed to back that
data (https://www.sans.org/webcasts/show.php?webcastid=90514).
What test(s) have you done showing Tipping Point is prone to false positives
based on their signatures/filters?
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
