RE: Intrusion Prevention

ActiveScout's whole approach to the issue of reducing false positives is to assume that all attacks occur after a reconnaissance effort has been conducted. While this is certainly true in many cases it is unlikely that _all_ attacks follow recon.

As far as I am able to determine (I've not yet tested their product) their "mark" is a combination of a source IP and some dummy data (probably a false username, password, etc.) that is unique to that particular recon attempt. If you assume that if their product can successfully identify all of its "marks" when they return it is then within reason to take their marketing department's word that they have "zero false positives." When there is no hard & fast definition of "zero false positives" by which such claims can be measured those who market IDS/IPS products can position their argument in such a way that they're not technically wrong.

We come at the issue from a very different angle. If anyone would like to know more about it please contact me off list.

Happy Holidays,

Matt

Matt McGuirl                                      
Lucid Security Corporation           
Email: mmcguirl_at_lucidsecurity.com

-----Original Message-----
From: Robert_Huber_at_bankone.com [mailto:Robert_Huber_at_bankone.com]
Sent: Wednesday, December 11, 2002 7:59 AM
To: focus-ids_at_securityfocus.com
Subject: RE: Intrusion Prevention

>From what I understand, ForeScout tags all scans, so when they see a real attack and pick up the tag and accurately identify it. This works fine for most stuff; however, it assumes that all atacks start with a scan of some sort.