I was at an ISS event (but I guess it applies to all IPS vendors) where they said after a signature is written they QA it to prevent false positives, for about 8 weeks in the wild.
It sounded a little counter productive to the "virtual patching" claims, since that often means the protection comes in after I've already patched the system. I agree I wouldn't deploy prevention prior to being sure it'll not cause a DoS to the network (or at all until this technology matures a little more), but with this attitude what is the IPS virtual patch hype all about? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
