Marcus J. Ranum wrote: > For example, would you call SYN flood detection by tracking > SYN/ACK/RST patterns an intrusion detection signature? I sure > would! Oh, no, not again... let's steer away from the misuse detection vs. signature definition please :) > What's important to note, and that I try to convey in my > definition, is that a key piece of the value of a signature > is that it *explains* what it thinks it matched. 150% agreed. It's a point I make every time I speak about anomaly detection. True "anomaly" detection cannot tell you what is exactly wrong. At most, it can give you hints about where to look. Stefano _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Aug 27 2004 - 10:34:34 PDT