Yes they do all look at the same common holes and flag them but as for detection everyone has a different method.
On Fri, Oct 9, 2009 at 1:16 PM, Rohit Patnaik <[email protected]> wrote: > Why would Cisco, Juniper, etc. maintain the signature sets? > Presumably, each company maintains its own set of allow/deny rules. > > --Rohit Patnaik > > 2009/10/9 srujan <[email protected]>: > > I agree with your word let "customer network admin selects it". But > Tipping Point, Juniper, Cisco and Snort will have a wide range of customers, > and maintaining different signature set for different Orgs is a big > headache. > > > > All these guys are maintaining 95% to 99% detection coverage at NSS > testing. That's why i asked about the selection criteria. > > > > On Fri, Oct 9, 2009 at 1:36 AM, <[email protected]> wrote: > >> > >> On Fri, 09 Oct 2009 00:47:24 +0530, srujan said: > >> > >> > What is the vulnerability selection criteria of Tipping Point, Juniper > IPS > >> > products. > >> > > >> > Is it covering each and every CVE ID or is it selecting particular > kind of > >> > attacks. If so what is selection criteria (cvss score or severity > level or > >> > most publicly exploited) > >> > >> If the answer isn't "customer network admin selects it", the products > are > >> broken and brain damaged. Different sites have different security > stances, > >> and different opinions regarding the trade-off between the added > security > >> benefit and the throughput and latency hits you take. > >> > >> Even within a site, the trade-offs may vary. I have some machines that > >> are actually air-gapped, some that are heavily firewalled, and some that > >> are lightly firewalled - and there's probably some Snort sensors and > honeypots > >> too.. ;) > >> > >> If you're asking for "what pre-canned detection rules they come with", > it's > >> probably "all the known vulns that we can figure out how to write a > Snort > >> rule that doesn't suck resources". :) > >> > >> OK, maybe they don't use Snort - but the same problems of filter > >> expressiveness, whether/how to do a regexp, and so on, are faced by all > IDS/IPS > >> systems. If you need to do a regexp backref, it's going to either not > be part > >> of the available toolset, or it's going to suck at line rate on high > speed > >> interfaces. Matching '\((134|934){3,5})\(foo|bar)(more ugly)(\1|\2)' is > going > >> to suck whether it's Snort or silicon. > >> > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- http://www.goldwatches.com
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
