Carv, H C <keydet89at_private> > What this leads to is the question of how useful such > systems are in the face of network forensics. If the > packet contents themselves aren't saved in some way, > but only used to trigger an alert, then how suitable > are such systems for forensics? To take a step back, > if the signatures themselves aren't viewable, and only > the alert, then how does the admin *really* determine > what happened? In most cases, they'd be at the mercy > of whatever info the IDS console provides. you've very precisely hit a weak point of quite a few commercial IDS programs. The only thing (I can think of) an admin could do is run a sniffer (or another IDS that does record packets) in parallel and correlate the results, to find out what really happens "on the wire". Regards, Knut ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 15:14:21 PST