Re: Important Comments re: INtrusion Detection

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Craig Brozefsky, sie wrote
> On Sat, 14 Feb 1998, Darren Reed wrote:
> > In some mail I received from tqbf () secnet com, sie wrote
> > [...]
> > > However, we do not see a way in which sniffer-driven ID systems can
> > > accurately detect SPECIFIC TYPES of attacks in IP traffic. We are not
> > > contesting the fact that it is possible to detect traffic that is likely
> > > "malicious", and we are not saying that it is impossible to detect the
> > > fact that a network is being attacked. The issue is that sniffers cannot
> > > isolate (most types of) specific attacks from any other type of attack.
> > [...]
> >
> > One conclusion from this is might be that  an IDS is only truely
> > possible if implemented as a proxy gateway of sorts or otherwise
> > performs as a mediator of packets as a firewall might be expected
> > to do.  Do you agree with this ?
>
> I would disagree, as this conclusion would not take into account the need 
> for a secondary source of information regarding the hosts which are 
> possible targets.  There is a strong need for context to be able to 
> identify specific attacks on hosts.  You are not given this information 
> because your an application proxy vs. a packet filter.

...and how is that secondary source there when it is just a passive
listener and not there when it is a proxy ?  I think I'm missing something
you're implying.  As per a proxy firewall, you have hosts on "each side".
One side you care about, the other you don't.  Or you might care about them
in both directions if you want to stop people from using your site as a
launchpad for attacks.

Darren