Re: [logs] Signatures

• Previous message: Raffael Marty: "Re: [logs] Term weights and log analysis"
• In reply to: Marcus J. Ranum: "Re: [logs] Signatures"
• Next in thread: Stephen P. Berry: "Re: [logs] Signatures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Marcus J. Ranum wrote:

> For example, would you call SYN flood detection by tracking
> SYN/ACK/RST patterns an intrusion detection signature? I sure
> would! 

Oh, no, not again... let's steer away from the misuse detection vs. 
signature definition please :)

> What's important to note, and that I try to convey in my
> definition, is that a key piece of the value of a signature
> is that it *explains* what it thinks it matched.

150% agreed. It's a point I make every time I speak about anomaly 
detection. True "anomaly" detection cannot tell you what is exactly 
wrong. At most, it can give you hints about where to look.

Stefano
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Raffael Marty: "Re: [logs] Term weights and log analysis"
• In reply to: Marcus J. Ranum: "Re: [logs] Signatures"
• Next in thread: Stephen P. Berry: "Re: [logs] Signatures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 27 2004 - 10:34:34 PDT