IDS: Re: True definition of Intrusion Prevention

[George Capehart <gwc () acm org>]

On Monday 05 January 2004 03:12 pm, Brad McGary wrote:
> I agree with your comments but would offer the thought process
> regarding the structure of an attack scenario. Most attacks start
> with recon and end with target specific exploits. I've been using a
> commercial version of Hogwash for about two years and have
> significantly reduced the number of successful attacks launched
> against our environments by preventing the more prolific recon tools
> from returning target intelligence. As for the worm attacks we've
> been relatively successful at stopping these since they mostly
> utilize exploits which have mature snort signatures. In the end
> there's no panacea and we see our share of false positives and false
> negatives I'm sure. Please take these comments as just my specific
> experience and understand I certainly don't want to engage in any
> heated debates.
Hi Brad,

Thanks for sharing your experience.  And, while heated debates tend to 
drift away from the topic, I'd be interested in hearing what others 
have done to try to head off attacks.  This gets exactly to the point 
that, to my way of thinking, to prevent intrusions one needs to employ 
a *process* which has many dimensions.  You have very clearly described 
one aspect of that process . . .

Regards,

George Capehart

---------------------------------------------------------------------------
---------------------------------------------------------------------------