<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

IDS: Re: Firewall Activity analysis

Re: Firewall Activity analysis

From: Matt Harris <mdh_at_unix.si.edu>
Date: Wed, 11 Dec 2002 17:11:45 -0500

"Anton A. Chuvakin" wrote:
>
> And the dangerous thing about jumping in and implementing some simple
> rules (such as "connection failed -> conn successful"), might create a
> nice little (well, BIG actually!) "false-positive machine" and NIDS
> systems already provide plenty of that.

Just imagine if an SSL web server (port 443) had images on it hosted on
the same system on an insecure virtual host (port 80) and the image
server went down (failed connection), then they clicked a link to
another document on the secure server (successful connection)... It
would more than likely be going off for everyone hitting the web site...
For a busy site, this could spell disaster.

-- 
/*
 *
 * Matt Harris - Senior UNIX Systems Engineer
 * Smithsonian Institution, OCIO
 *
 */

Received on Dec 12 2002

This message: [ Message body ]
Next message: Matthew F. Caldwell: "RE: Firewall Activity analysis"
Previous message: Frank Knobbe: "RE: Intrusion Prevention"
In reply to: Anton A. Chuvakin: "RE: Firewall Activity analysis"
Next in thread: Matthew F. Caldwell: "RE: Firewall Activity analysis"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos