Paul D. Robertson wrote: >1.3) The more adept ones will filter the alerts through some sort of > engine to decide which ones reach their pager. In some environments > this could be a very good thing. > >1.4) Others will learn which alerts mean "hit erase" and which ones mean >"grab the Palm Pilot and ssh in". In other words, the administrator will apply site policy to the IDS by building a filtering layer on top of its alert mechanism. That will be based on the administrator's knowledge of site policy and local risk/threat posture. We're 100% agreed. But what what I am saying is that the IDS should be able to permit that tuning directly, by getting that information from the administrator so the IDS can tailor its behavior to what it has been told is acceptable/unacceptable/interesting about the network it's watching. mjr. [ :) Part of what's going on here is that I posted a bunch of arguments when I was really tired and braindamaged, and I did most of my writing using my own messed-up internal terminology and logic. :) Which was a big mistake because I've confused people or convinced them I am a nut. :) ] -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:52 PDT