Firewall Wizards mailing list archives
Re: Intrusion Detection
From: Adam Shostack <adam () homeport org>
Date: Tue, 14 Apr 1998 09:40:46 -0400 (EDT)
shantanu bhattacharya wrote:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
| Hi,
|
| What are the kind of Intrusions an Intrusion Detection software can
| detect? What all it cannot? Also, specify the reasons.
There's an upcoming conference on this very question. I can't
find the URL offhand.
I believe intrusion detection to be a misnomer, and that the
really useful class of software is attack detection. Attacks (land,
teardrop, phf, password file sucking) are relatively easy to detect
with network sniffing software. Intrusions are hard to detect with
network sniffers because, done properly, they look pretty much like
real users. Most systems I've broken into, I get in through social
engineering. Make a few phone calls. Log based analyzers do a better
jobs of this; they have less data to munge through, and can build up
'expected' behavior patterns.
--
Just be thankful that Microsoft does not manufacture pharmaceuticals.
Current thread:
- Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Paul D. Robertson (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)
- Re: Intrusion Detection emaiwald (Apr 15)