Aleph One wrote: >> To me the big open question in ID is "why?" not "what?" > >Because if you do not alert the user that he is under attack by the >attacks that you can detect and evade he will never know when the hacker >moves on to some new attack your gizmo does not know about yet. That's what I'm talking about. IDS' useful role is as a backstop against intrusions that have succeeded, not as frontal armor against known attacks which (most likely) won't succeed. Note that most of the current IDS products on the market are the "frontal armor" type. I guess I'm doing a lousy job of explaining myself (chalk it up to fatigue) -- the place where IDS are valuable is as automated tools to do what Ches used to call "Tar Babies" -- traps and alarms that are scattered within the network, to call attention to the presence of unusual activity. This DOES NOT mean that they'll catch the attack based on the attack technique used!! I'm going to have a decent dinner and see if I can post a decent description of what I'm talking about later this evening. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:21 PDT