On Jun 3, 2008, at 3:00 PM, Enigma wrote:
This is a little off topic. Not knocking Sourcefire or VRT (3D is great and I use the VRT sigs all the time) but I have found these type of signatures to have the highest rate of false positives. Don't get me wrong, these are useful when there isn't anything else but signatures developed from public or at least seen-in-the-wild exploits are much more accurate.
I know that Sourcefire has a great false positive reporting method for rules. Pcap's are needed.
-- Joel Esler [EMAIL PROTECTED] http://blog.joelesler.net [m] ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
