I think one thing not mentioned directly concerning the worth of IDS as a whole, is that like an NFR, or a firewall, or tools like Net Sonar, Ballista, or whatever, they are just that. Tools. As a system administrator, or if you are lucky to be able to find and afford one, a security specialist, we all use TOOLS to make our jobs easier, and more efficient. If I employ an IDS to catch some of the soft net noise hackers, then it has saved me time and made me more efficient. Sure, I could sit and write my own scripts to do the same thing. Heck, I bet I could even learn to make a nice little GUI for it too. If I had the time that is, and my employer was willing to accept lower productivity because I was writing code, instead of performing my daily tasks. Unfortunately, few of us can have that luxury. IDS systems, even with their flaws and vulnerabilities, still have a place right along side the firewalls, routers, virus checkers tools we use today in order to keep the electronic monster on a leash. Think about it, I used to think those electronic pets were stupid gimmicks, then I sat down with my firewall this morning and looked back at all the care and feeding it requires. Who's the fool? -----Original Message----- From: Sheila Or Bob (depends on who is writing) [SMTP:shsrmsat_private] Sent: Saturday, April 18, 1998 9:29 AM To: Nicholas Charles Brawn Cc: firewall-wizardsat_private Subject: Re: how to do intrusion detection right Nicholas Charles Brawn wrote: > > Would you then not run the risk of attackers masking hostile traffic by > making it appear to look "expected"? > > Nicholas Brawn Exactly! The gabriel and other scan detectors are easily defeated by a patient low level attack - spread things over a time period that is beyond their threshhold, do things aperiodically. Sometimes humans can discern something is out of the ordinary. Sometimes they can't. In the event of establishing a profile of the net "what is normal traffic" with a new IDS, they can be confused with what I call white noise. so that things look like they are expected! bob > > -- > Email: ncb05at_private > Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. > > On Thu, 16 Apr 1998, George J. Dolicker wrote: > > > I think perhaps what the intrusion detection system might do is not look > > for something "interesting", but rather something "different". Rather than > > trying to define what is a problem, define what is NOT a problem... so > > configure the IDS to smile upon traffic that is expected, and panic over > > anything else. > > > > Same principal we use in firewalling: that which is not explictly > > permitted is denied. > > > > G. > > > > At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote: > > >When the administrator can tailor the IDS to unacceptable/interesting > > >stuff on the net, what he does is transfer his own mindset about security > > >to the IDS. I then have a machine that "thinks" like me, which thus alerts > > >me about facts that I am already aware of - a useful thing that may save > > >some work, but will not help me notice next week's bug being exploited. > > > > > >I may be stupid, but what is "interesting" is something I do not know > > >before an intrusion attempt. > > >Tomorrow's attack may use some technique that is "obviously" safe today, > > >thus bypassing my (human or computer) filtering layer. Using a sufficiently > > >"new" technique, my firewall will probably not notice that it has been > > >broached. What _can_ help me is having a complete log of everything that > > >has been going through the network, which I can then analyze to understand > > >what has happened. An intrusion analysis system, if you will - which > > >so far includes a large human component. > > > > > >-Martin > > > > > > > -- real address is shsrms at erols dot com The Herbal Gypsy and the Tinker.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:38 PDT