TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I am fairly new in the area of Intrusion Detection and am concerned in regards to the
quantity of supposed false positives with respect to TFN2000, Mstream_Master, and
Stream_DoS. I don't want to treat my IDS as "the person who cried wolf". These DoS
attacks did (and still can) have a major impact on the Net. My question is...When we
accept the fact that these are false positives, how will we know when there is a real
attack? For example: As I understand, some of these detects, such as Mstream_Master,
can be precursers to an actual DoS attack. Further, as I understand, one of the
reasons you have Intrusion Detection is to react to a detect before "the big one
hits". If false positives such as Mstream_Master are to be ignored, don't we have a
self imposed denial of service (conceptually not literally)? Meaning, we can no longer
react to this type of detect and have partially disabled (by ignoring) what we have
tried to implement.
Also, regarding the additional feature which will be available in a future X-Press
Update. It's my newbie opinion that by simply turning off a decode, or a port in a
policy, defeats the purpose of detection of that activity. If you turn of the decode,
don't you disable the ability to detect a particular attack? Further, turning off a
port detect would reduce the "noise" but, as I understand, many of these hacking tools
could then just be set up to "listen" or operate on the ports you just turned off???
(I would think that many attackers would be using their tools with altered port
settings and not the default port settings for those tools.) Wouldn't port 53 then be
"fair game"? Therefore, the attacks go undetected by the IDS. If this is incorrect,
please excuse my ignorance, but this sounds like more of a problem than maybe a
solution. Perhaps a more accurate way of identifying the attack could be a better
solution? Sorry for the bandwidth.
>>> Mark Teicher <[EMAIL PROTECTED]> 08/04/00 11:57AM >>>
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
When will the X-Press Update be available???
/m
At 08:54 PM 8/3/00 -0400, Eng, Audra wrote:
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>There can be false positives related to the TFN2K signature - most of the
>false positives deal strictly with dns traffic. ISS is currently addressing
>this problem and will come out with an X-Press Update to fix it in the near
>future. Another feature in the works for the ext RealSecure Network Sensor
>is the an event filter capability to turn off a particular decode for a
>specific machine and/or port in the policy.
>
>Thanks for the comments - we're listening!
>
>Audra
>
>-----Original Message-----
>From: Neil Long [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, August 03, 2000 3:19 AM
>To: Jared Tabb; Joe Blow; [EMAIL PROTECTED]
>Subject: Re: RealSecure v5.0 and False Positives
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>----------------------------------------------------------------------------
>
>Just to confirm a similar blizzard of false TFN2000 alerts - again a
>mix of genuine DNS udp requests and audio/video streams (bbc.co.uk does
>it here).
>
>How does anyone get hold of the Xpress Updates if the management
>console is on a non-routeable network (i.e. secure out of band)?
>
>If I use a non-master console which I could temporarily connect to
>routeable feed then the Xpress_Updates option disappears off the sensor
>menu.
>
>Is the MicroUpdate 1.1 for v5.0 available other than via the console
>app?
>
>Thanks
>Neil
>
>--
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Dr Neil J Long, Computing Services, University of Oxford
> 13 Banbury Road, Oxford, OX2 6NN, UK Tel:+44 1865 273232 Fax:+44 1865
>273275
> EMail: [EMAIL PROTECTED]
> PGP: ID 0xE88EF71F OxCERT: [EMAIL PROTECTED] PGP: ID 0x4B11561D
