There are many parameters involved for bringing up such situation. 1. Firstly, yes Signature QA testing might have skipped or problems found during testing might have been ignored due to severity of threat for which the signatures were created in that release. 2. Testing might have happened on different product from the one which you are using. Coz when signature(s) for a newly discovered critical vulnerability are added and due to pressure of deilvering the signature pack super fast, its not always feasible to test same signature pack against 20different products/versions. 3. Vendor might have used different test environment for testing. For example, vendors might have tested the signature pack by configuring a dummy network on IDS/IPS running 2-3domains. But in live environment you might have few 100s of different domains configured. 4. Vendor might have tested the signatures just for accuracy/syntax/working/attack blocking and might have skipped the performance testing of IPS after including new signatures with older set. There could be many more reasons....And its not the case of "xxx" vendor, these problems can be with any IPS vendor. But ofcourse its a serious problem and vendors should pay high attention to QA rather than increasing the signature count. Coz no one would like to make his/her machine secure by plugging out the network cable. -Dhruv
--- David Williams <[EMAIL PROTECTED]> wrote: > I'm evaluating a Tipping Point box and after > gettting the latest > signatures I'm having problems with the box > "crashing". My goal is > not to bash Tipping Point, but instead to gather > information on how > often people have seen this type of thing among IPS > boxes. > > Is there a trend with vendors to roll out signatures > as fast as > possible without proper QA? This brings up a lot of > questions about > deploying IPS. I want two opposite things from my > vendors: 1) I want > the latest signatures super fast. 2) I want proper > QA so that it > doesn't bring down my network. I realize those two > things are > contradictory, but I thought I'd throw it out there > to see if anybody > had any thoughts. > > thanks, > > d > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
