Re: Intrusion Detection

[Aleph One <aleph1 () dfw net>]

On Tue, 14 Apr 1998, Marcus J. Ranum wrote:

> That's what I'm talking about. IDS' useful role is as a backstop
> against intrusions that have succeeded, not as frontal armor against
> known attacks which (most likely) won't succeed. Note that most of
> the current IDS products on the market are the "frontal armor" type.

Well maybe if you did decide to say, for example, email the ISP upstream
of where the attacks are comming from you might stop them _before_ they
break in.

> I guess I'm doing a lousy job of explaining myself (chalk it up to
> fatigue) -- the place where IDS are valuable is as automated tools
> to do what Ches used to call "Tar Babies" -- traps and alarms that
> are scattered within the network, to call attention to the presence
> of unusual activity. This DOES NOT mean that they'll catch the attack
> based on the attack technique used!!

I understand what you mean and I agree. I guess my point is that unless
you look at the traffic and follow up on it, even things that would
normally not sucess in breaking in, then you will be in the dark. What the
IDS allows you is to let you know when something interesting is happening.
Then you can break out the network sniffer and take a look _for_your_self_
whats going on. You may find some interesting things. But again you are
correct that this may take to much time for most people, thats why large
companies (should) have a full time security staff.

> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01