Re: False Positives with IntruVert

On Fri, 2003-03-28 at 11:36, Cure, Samuel J wrote:
> Looking for some feedback on IntruVert. I have a client that is evaluating
I don't either. There's a lot of jabber about IPS these days, but the reality is, until the false positives problem is solved they will see extremely limited duty.

> Has anyone put IntruVert into full Prevention mode and what were the
I haven't seen any studies, but I can tell you from having used Intrusion Inc's SecureNet Pro, snort and Cisco IDS, I'd be very surprised to find a product with *no* false positives - especially those that are purely signature based (almost none are anymore, but they all use signatures.)

We are doing some limited IPS with snort, but the only rules we use it on are detections of CodeRed on our network (and I just discovered some false positives with that), and a custom rule I wrote to deliberately block certain IPs that were persistently probing us.

I would be extremely hesitant to widely deploy IPS in a production network.

-- 
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member


-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter 
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71