On Aug 8, 2005, at 1:22 PM, Ron Gula wrote:
I think most of them are relying on existing technology. For example,
a quick check of snort.org and bleedingsnort.org didn't have any new
cisco-specific rules, yet there are signatures to detect various Cisco
attacks already.
We stopped looking for shellcode with Snort years ago, we focus our
rule development efforts on detection of people exercising the
protocols improperly instead of looking for specific signatures
whenever possible. Our existing Cisco rules most likely need to have
the messages updated from "DoS" to "exploit", that's about it.
Playing the shellcode detection game is a dead end unless that's all
you've got.
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http://
www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - http://
www.snort.org
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
