Hi Dave,
Take a peek at the Internet Storm Centre @ SANS -
http://isc.sans.org/
Gives you a good idea about what's going on.
Which IDS devices are you looking at? All IDS devices are subject to large
numbers of false positives, which is why if you're making a new investment
you should consider IPS technology, as this gives you a far lower TCO and
real-world protection against zero-day threats. It also saves you having to
buy lots of IDS sensors, seeming a large proportion of the load will be
absorbed and taken care of by the IPS.
Just my 2 cents.. ;)
Cheers,
Tim
-----Original Message-----
From: Sames, David [mailto:David.Sames@sparta.com]
Sent: 13 July 2005 04:54
To: THolman@toplayer.com
Subject: RE: IDS evaluations procedures
Thanks for the info - those are exactly the kinds of characteristics I
need to consider - at this point, I'm not evaluating a product per se -
I'm evaluating some claims by some of our researchers :-) FP's are what
I'm most concerned about. I'll check things out to see if I can get more
stats - and of attempt to produce some data sets that may look like
"anomalies" but are really traffic spikes and shouldn't be flagged.
To specifically answer your question, look at current attack weather
reports
- you'll see approximately 15-20% of perimeter traffic is in fact worms
trying to propagate. Any evaluation should be designed with this in
mind.
..but more importantly, make sure you're evaluating something that will
do
the job in hand and doesn't lead you up the garden path with inaccurate
marketing collateral! :)
<<<
That's exactly what I was looking for !
Regards,
Dave
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
