On Tue, 14 Apr 1998, Marcus J. Ranum wrote: > Adam, > > To me the big open question in ID is "why?" not "what?" Because if you do not alert the user that he is under attack by the attacks that you can detect and evade he will never know when the hacker moves on to some new attack your gizmo does not know about yet. Most attacker will move from one technique to the next until they find one that works. For example, if someone portscans you and finds you are running a daemon for the FOO protocol in port 666 with a bug he knows about but your IDS does not and the IDS does not report the portscan because you don't want to be bothered then you have just thrown out the only clue you had that you may have been broken into. Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:18 PDT