Dailydave mailing list archives
Re: Britney and Kevin are Chaotic
From: byte_jump <bytejump () gmail com>
Date: Thu, 26 May 2005 20:23:46 -0600
The cost of rolling out a Tripwire or Tripwire-like solution to desktops in even a medium sized enterprise would be out of this world compared to a couple of well placed NIDS, but I believe the two meet different goals. I don't think one can rely on a NIDS to provide the level of detection that Tripwire can, and vice versa. For example, a NIDS would not likely detect a private, zero-day exploit against an Apache server while Tripwire may detect the alteration of files (maybe not). I think PaX or something like that would be more useful in that regard, but the two would compliment each other. On the other hand, it's not likely that Tripwire would detect that two desktops are acting as their own SMTP servers to send mail - though a NIDS could. Again, trying to roll out something like Tripwire or PaX on an enterprise network is next to impossible - and what do you do with all of your Windows desktops? Examples of what NIDS would be useful for, in my opinion, would be: - Detect anomalous SMTP servers on the network. - Detect unauthorized DNS or DHCP servers on a network. - Detect IRC traffic. - Detect traffic above a certain threshold. - Detect an unsolicited ICMP echo reply or other potential covert channels. There are other examples, but those quickly come to mind. byte_jump On 5/26/05, Adam Shostack <adam () homeport org> wrote:
Really? Why not tripwire a few hosts? Or wait for something bad to happen? Can you show me that spending on an IDS really leads to lower incident handling costs? (I suspect that it could, but have no data.) Adam
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Britney and Kevin are Chaotic Dave Aitel (May 26)
- Re: Britney and Kevin are Chaotic Rodney Thayer (May 26)
- Re: Britney and Kevin are Chaotic Ian Melven (May 26)
- Re: Britney and Kevin are Chaotic Rodney Thayer (May 26)
- Re: Britney and Kevin are Chaotic Steve Lord (May 26)
- Re: Britney and Kevin are Chaotic Chris Anley (May 26)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Chris Anley (May 26)
- Re: Britney and Kevin are Chaotic Adam Shostack (May 26)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Holden Williamson (May 26)
- Re: Britney and Kevin are Chaotic dan (May 26)
- Re: Britney and Kevin are Chaotic Andrew R. Reiter (May 26)
- RE: Britney and Kevin are Chaotic El Nahual (May 26)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- RE: Britney and Kevin are Chaotic El Nahual (May 27)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- Re: Britney and Kevin are Chaotic Ian Melven (May 26)
- Re: Britney and Kevin are Chaotic Rodney Thayer (May 26)
- Re: Britney and Kevin are Chaotic Steve Lord (May 27)
- <Possible follow-ups>
- RE: Britney and Kevin are Chaotic Thomas Quinlan (May 26)
- Re: Britney and Kevin are Chaotic Matt LeGrow (May 26)