IDS: Re: Intrusion Prevention

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

IDS mailing list archives

Re: Intrusion Prevention

From: Vern Paxson <vern () icir org>
Date: Mon, 09 Dec 2002 23:13:13 -0800

FYI, the way it works is by responding to scans with bogus replies that are
unique to a particular scan.  Then, when subsequent attack traffic includes
the fingerprint left in the bogus reply, the IDS immediately knows that the
traffic corresponds to an attacker (assuming it correctly identified the
initial recon scan as reflecting an attacker); hence, "no false positives".

Disclaimer: I'm on Forescout's technical advisory board, hence have a
direct interest in the company.  (Anti-disclaimer: I joined their board
because I do think their technology is cool. :-)

                Vern

By Date By Thread

Current thread:

RE: Intrusion Prevention, (continued)
- RE: Intrusion Prevention Avi Chesla (Dec 09)
- Re: Intrusion Prevention Jill Tovey (Dec 09)
  - Re: Intrusion Prevention Frank Knobbe (Dec 10)
- RE: Intrusion Prevention Adam Powers (Dec 10)
- RE: Intrusion Prevention Ralph Los (Dec 10)
- Re: Intrusion Prevention Vern Paxson (Dec 10)
  - RE: Intrusion Prevention Chris Petersen (Dec 11)
  - Intrusion Prevention Johnny Kho (Dec 23)
- RE: Intrusion Prevention Robert_Huber (Dec 11)
- RE: Intrusion Prevention Matthew L. McGuirl (Dec 11)
  - RE: Intrusion Prevention Frank Knobbe (Dec 11)