Aleph, I think you're correct in that you can detect the fact that you're under attack. Marcus is right in that most people don't have time to track it down and slap the script kiddie who is doing it. I'll extend what he said and say that most people don't have the expertise to analyze an NFR log to figure out what happened next. Adam Aleph One wrote: | On Tue, 14 Apr 1998, Marcus J. Ranum wrote: | | > Adam, | > | > To me the big open question in ID is "why?" not "what?" | | Because if you do not alert the user that he is under attack by the | attacks that you can detect and evade he will never know when the hacker | moves on to some new attack your gizmo does not know about yet. Most | attacker will move from one technique to the next until they find one that | works. | | For example, if someone portscans you and finds you are running a daemon | for the FOO protocol in port 666 with a bug he knows about but your IDS | does not and the IDS does not report the portscan because you don't want to | be bothered then you have just thrown out the only clue you had that you | may have been broken into. | | Aleph One / aleph1at_private | http://underground.org/ | KeyID 1024/948FD6B5 | Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 | -- Just be thankful that Microsoft does not manufacture pharmaceuticals.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:41 PDT