On Wed, 15 Apr 1998, Marcus J. Ranum wrote: > Paul D. Robertson wrote: > >1.3) The more adept ones will filter the alerts through some sort of > > engine to decide which ones reach their pager. In some environments > > this could be a very good thing. > > > >1.4) Others will learn which alerts mean "hit erase" and which ones mean > >"grab the Palm Pilot and ssh in". > > In other words, the administrator will apply site policy to the IDS > by building a filtering layer on top of its alert mechanism. That will > be based on the administrator's knowledge of site policy and local > risk/threat posture. > > We're 100% agreed. But what what I am saying is that the IDS should > be able to permit that tuning directly, by getting that information > from the administrator so the IDS can tailor its behavior to what > it has been told is acceptable/unacceptable/interesting about the > network it's watching. Right, but what I'm saying is that, and I failed to clearly state it because I was too busy making witty 6 year-old comments ;), is that this is better done at the administrator level in some cases. A learning admin needs to be able to learn what's "good" and "bad", and as a network changes, the IDS' filters won't get updated, the human ones may. While certainly there are people who will lose their tolerance over time and hit "delete" every time, there are also people who will want to adjust their thresholds in real-time. This may or may not be possible at the IDS (How much change do you expect on a security-critical machine, I like little because it makes changes auditable). While it may run counter to what's ultimately marketable, I would really prefer to set my own thresholds and adhere to them. If I knew a new attack came out this morning, and I was off-site, there may be an alert that I'd now want that was in the "hit delete" catagory last night. I tend to syslog *.debug quite often, and then grep those logs for what I'm really after because I can always go back if I have the data, but if I never log it, its lost forever. I consider some alerts to be in the same vein, and my tolerence is probably farily high for a little inconvenience because I think the risk/reward scenerio is higher than doing it the other way around. If I'm never alerted, I don't know something happened. Now if your system follows BUGTRAQ, *security, comp.security.*, etc. changes its thresholds, I'm ready to buy. Until then I prefer to do most of my filtering manually. But then I handle e-mail the same way, I've got procmail, but it's only used for the corsest functions, not for everyday sorting. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." PSB#9280
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:57 PDT