Hi Brian,
Not sure if any qualification has been done for the false negative
scenarios, but generally the way we approach is have a lot of rules
either in just alert mode or what we sometimes dub as simulation mode to
see what kind of IPS action would be taken and then tune the rules
accordingly.
Thanks
Proneet.
-------------------------------------------------------------
I find that the harder I work, the more luck I seem to have
-----Original Message-----
From: Basgen, Brian [mailto:[EMAIL PROTECTED]
Sent: Thursday, April 13, 2006 8:38 AM
To: [email protected]
Subject: IPS false negatives
Is anyone aware of research that has been done to qualify/quantify the
false negatives that commercial IPS's will pass when running on a
default configuration?
My understanding is that every IPS ships with only a portion of its
rules activated; the reason being that some suspect traffic can either
be an attack or legitimate network traffic. Therefore, blocking such
traffic can be problematic, and visibility is the only realistic
defense.
~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
