2008/7/16 Ravi Chunduru <ravi.is.chunduru (at) gmail (dot) com [email concealed]>:
> Hi,
>
> I am using IntruPro-IPS to protect both servers and clients. It seems
> to be flagging RFI related anomalies for traffic going from internal
> clients to servers in Internet. I thought these attacks need to be
> detected only if the internal servers are being attacked. That is, I
> think that RFI detection is needed for server protection.
>
> is it necessary to check the internal client traffic, that is, is this
> needed for client side protection. Any reasons?
I used to find outgoing alerts more useful than incoming - if an
internal client is sending malicious traffic, you know you have a
serious problem! In contrast, incoming alerts will tell you about a
whole load of failed attacks that you may well be patched against.
Rule tuning on IDS varies from site to site, so I'm not going to tell
you what you should be doing - do whatever you find most helpful.
cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie (at) honeynet.org (dot) uk [email concealed]
UK Honeynet Project: http://www.ukhoneynet.org/
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
> Hi,
>
> I am using IntruPro-IPS to protect both servers and clients. It seems
> to be flagging RFI related anomalies for traffic going from internal
> clients to servers in Internet. I thought these attacks need to be
> detected only if the internal servers are being attacked. That is, I
> think that RFI detection is needed for server protection.
>
> is it necessary to check the internal client traffic, that is, is this
> needed for client side protection. Any reasons?
I used to find outgoing alerts more useful than incoming - if an
internal client is sending malicious traffic, you know you have a
serious problem! In contrast, incoming alerts will tell you about a
whole load of failed attacks that you may well be patched against.
Rule tuning on IDS varies from site to site, so I'm not going to tell
you what you should be doing - do whatever you find most helpful.
cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie (at) honeynet.org (dot) uk [email concealed]
UK Honeynet Project: http://www.ukhoneynet.org/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
[ reply ]