Howdy all, What kind of data is necessary to collect for an Intrusion? The answer to that should be -- Anything that the defender deems as an unwarranted action!!! The true problem with IDS is the inability to set site policy(i.e. some sort of network policy auditor). Current IDS allows you to scan for known attacks, and has very limited capability to set site policy, and audit that site policy. Afterall, aren't we REALLY trying to establish a way to scan the systems and networks for violation of site policy? Wouldn't it be nice to analyze the collected data, and amend site policy based on your findings? Don't the needs from one site differ from that of another? Policy shouldn't be a rigid set of rules and should be able to be amended at the site's request. That brings me back to my original question: what kind of data is necessary to collect for an intrusion? If the tools I use do not allow the amendment of the policy, then there exists a chance for attacks to go by unnoticed. Wouldn't it be possible to circumvent the IDS by tunneling a known attack over a known protocol? What if that protocol is encrypted? Wouldn't this lead us into the realm of behavioral analysis, and, if so, wouldn't this mean that we now have to start doing some sort of "forensics" to help expose this threat? What about making that threat known to our site policy? What if this attack only works on my site and not someone else's? The answer should be -- since it is unwarranted we should be able to amend site policy, and start capturing data! IDS tools are extremely useful and have their place, but chaos needs order and sites need their network/systems to be audit-able!!! Now another question comes into play(mainly for devils-advocation): "If all the known attacks have been plugged on our networks/systems, then do I need to keep wasting bandwidth scanning for them?" Well that's my two cents, Steve Wright
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:45 PDT