Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Recommended IPS signature set

from [Yahsodhan Deshpande] Network Security [Permanent Link]
Subject: RE: Recommended IPS signature set
Date: Mon, 10 Dec 2007 10:12:25 -0800 
Most of the 'Out-of-box' configurations are such that their device
performs better.

So they would disable the signatures which would affect the performance.
You would observe that most of the signatures where pattern matching is
involved per packet (independent of the flow, or specific port number)
would always be disabled.

Other reason for disabling non critical signatures is that some of the
devices have limit on number of patterns that can be loaded in the fast
memory, without the need of swapping out. Thus they try to limit the
number of patterns by tuning the number of signatures.

Some of the signatures are disabled because of high rate of false
positives.

Although none of the products would say the above, that is the primary
reason.

Any ways it is better to tune the IDS/IPS device as per individual
environment so as to get maximum performance and less false positives.


Regards,
Yashodhan


-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Ravi Chunduru
Sent: Saturday, December 08, 2007 8:17 AM
To: focus-ids@securityfocus.com
Subject: Recommended IPS signature set

i understand from several emails in this list is that UTM or IPS
devices enable only subset of signatures for detection as well as
blocking - it is being termed as 'sane IPS', 'out-of-box IPS' ,
recommended etc..

is there any criteria (standard or non-standard) used in categorizing
signature as 'recommended'?  is it based on CVE priority?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: login attempt admin/password, Seth
Next by Date:  Re: login attempt admin/password, Ron Gula
Previous by Thread:  Re: Recommended IPS signature set, Jeremy Bennett
Next by Thread:  SSL - Man-in-the-Middle filtering, Ravi Chunduru
Indexes:  [Date] [Thread] [Top] [All Lists]