Would you then not run the risk of attackers masking hostile traffic by making it appear to look "expected"? Nicholas Brawn -- Email: ncb05at_private Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. On Thu, 16 Apr 1998, George J. Dolicker wrote: > I think perhaps what the intrusion detection system might do is not look > for something "interesting", but rather something "different". Rather than > trying to define what is a problem, define what is NOT a problem... so > configure the IDS to smile upon traffic that is expected, and panic over > anything else. > > Same principal we use in firewalling: that which is not explictly > permitted is denied. > > G. > > At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote: > >When the administrator can tailor the IDS to unacceptable/interesting > >stuff on the net, what he does is transfer his own mindset about security > >to the IDS. I then have a machine that "thinks" like me, which thus alerts > >me about facts that I am already aware of - a useful thing that may save > >some work, but will not help me notice next week's bug being exploited. > > > >I may be stupid, but what is "interesting" is something I do not know > >before an intrusion attempt. > >Tomorrow's attack may use some technique that is "obviously" safe today, > >thus bypassing my (human or computer) filtering layer. Using a sufficiently > >"new" technique, my firewall will probably not notice that it has been > >broached. What _can_ help me is having a complete log of everything that > >has been going through the network, which I can then analyze to understand > >what has happened. An intrusion analysis system, if you will - which > >so far includes a large human component. > > > >-Martin > > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:24 PDT