I work for ISS. A customer can use either model. ISS ships a spreadsheet with each content update (its name is typically issue_responses.csv) that describes the recommended blocking actions for each algorithm or signature. The spreadhseet is installed on the appliance with each update. The appliances are configured to use this spreadhseet to configure blocking by default. Customers can then choose to disable these default blocks or enable their own blocks on an algorithm by algorithm basis.
Also, a customer can reconfigure the appliance to not use the ISS recommendations at all. In that case, the appliance will only block on those algorithms that the customer specifically configures. Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 18, 2006 7:49 AM To: [email protected] Subject: Re: ISS - virtual patching I don't get it. How do signatures get their status (detection only or also prevention)? Do the vendors release the signatures with this marked in the signature or does the SOC team need to read the signatures and decide one by one how to deploy them for each device? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
