One of the reasons why this is interesting to a 'front-line grunt' like
myself (where a large part of the job is handling triggered signatures),
is that it enables me to make a better assessment about a possible
security incident. Does it trigger if it just sees 'cmd.exe' travelling
on port 80, or is it slightly more sophisticated? What are the
throttling/summarizing settings?
It is not often that I find it necessary to look into a signature like
this, but I like having that option.
Kjetil.
(and I seem to have just pushed the discussion even further away from
topic - apologies :-)
-----Original Message-----
From: Andrew Plato [mailto:andrew.plato@anitian.com]
Sent: 11 March 2005 19:42
To: Stephane; rick.brady@libertymutual.com
Cc: focus-ids@securityfocus.com
Subject: RE: How to choose an IDS/FW MSS provider
Honestly, how many people, except security geeks like us, really care
what is inside the signatures? Sure, its fun to look inside them and see
what they are keying on, but since ISS signatures are not purely "match
this string" kind of stuff that Snort does, its not that simple. And
more importantly, who the heck has time to do that? In the zillions of
Proventias and server sensors I've deployed, I don't think anybody has
ever once asked me "gosh, can we see the signature code." They were to
busy running their systems to obsess over the code inside signatures.
I think the "I can't see the signatures, I don't trust them" argument
isn't a viable reason to turn down an IPS/IDS vendor. If it was, then it
would put Cisco, Symantec, TippingPoint, and just about everybody else
with a high-performance IPS off the map.
ISS MSS from our experience as an ISS reseller has been positive. But, I
am an ISS reseller so I have to say that. Another that comes to mind is
Counterpane.
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN ENTERPRISE SECURITY
3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________
GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D GPG
public key available at: http://www.anitian.com/corp/keys.htm
---------------------------------------------------
This email from dns has been validated by dnsMSS Managed Email Security and is
free from all known viruses.
For further information contact email-integrity@dns.co.uk
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
