I think perhaps what the intrusion detection system might do is not look for something "interesting", but rather something "different". Rather than trying to define what is a problem, define what is NOT a problem... so configure the IDS to smile upon traffic that is expected, and panic over anything else. Same principal we use in firewalling: that which is not explictly permitted is denied. G. At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote: >When the administrator can tailor the IDS to unacceptable/interesting >stuff on the net, what he does is transfer his own mindset about security >to the IDS. I then have a machine that "thinks" like me, which thus alerts >me about facts that I am already aware of - a useful thing that may save >some work, but will not help me notice next week's bug being exploited. > >I may be stupid, but what is "interesting" is something I do not know >before an intrusion attempt. >Tomorrow's attack may use some technique that is "obviously" safe today, >thus bypassing my (human or computer) filtering layer. Using a sufficiently >"new" technique, my firewall will probably not notice that it has been >broached. What _can_ help me is having a complete log of everything that >has been going through the network, which I can then analyze to understand >what has happened. An intrusion analysis system, if you will - which >so far includes a large human component. > >-Martin >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:08 PDT