IDS mailing list archives

Re: Network IDS

From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Thu, 28 Aug 2003 19:42:57 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Andrew Plato writes:

1. I think ISS's NIDS is great, but when it comes to interfacing with
OPSEC, I get queasy with that idea. I have a philosophical problem with
a independent system writing rules into another system. Its asking for
problems. Every time I see this implemented, it gets messed up somehow
and either doesn't block when it should, or blocks the wrong things.
Maybe its just because everyone who I've worked with that did this is
lame. Nevertheless, the OPSEC connection always sounds better as a
concept then it does when its actually implemented.


I know what you mean.  In my experience, using a NIDS is a lot like reading
USENET:  I've learned a lot of interesting and valuable things that I wouldn't
have learned otherwise...but nevertheless the overwhelming bulk of it
ranges from the useless to the outright insane.  So if you're
relying on an IPS for policy based routing, I guess the analogy would be to
instantly obey all suggestions you read on USENET.  My assumption is that
this would get you arrested or dead in fairly short order (although
potentially with significantly enhanced genital dimensions).

Maybe it's just me.  Most of the time I'm worried about whether or not
my NIDS is clever enough that I'm willing to let it page me, much less
let it handle routing.  Has someone managed to solve the false positive
problem while I've been hidden away writing ornate and useless statistical
analysis code?




- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE/Tr1nG3kIaxeRZl8RAp8IAJ9ANoqoX0lLwWYBAxpnyDGi5XC8KwCeLTca
kOg8iF2rJUHnzOsrA2b9wlg=
=Avt6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the worldÂs premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

Current thread:

Re: Network IDS, (continued)
- Re: Network IDS José Joaquín (Aug 21)
- RE: Network IDS Zach Forsyth (Aug 25)
- RE: Network IDS Zach Forsyth (Aug 25)
  - Re: Network IDS Joel Snyder (Aug 26)
  - Re: Network IDS Andreas Krennmair (Aug 26)
- RE: Network IDS Scott M. Trieste (Aug 26)
  - RE: Network IDS Frank Knobbe (Aug 28)
    - RE: Network IDS Mark Teicher (Aug 28)
- RE: Network IDS Zach Forsyth (Aug 26)
- Re: Network IDS Andrew Plato (Aug 28)
  - Re: Network IDS Stephen P. Berry (Aug 29)