IDS mailing list archives
Re: Need help to choose a security policy
From: embyte <embyte () madlab it>
Date: Fri, 14 May 2004 21:42:55 +0200
On Friday 07 May 2004 14:05, CEDRIC CASSIN wrote:
It seems to correspond with my point of view. For example, I see that SMTP traffic is allowed, I look for all the signatures that check attack through this service and then make my choice among these signatures depending on my network architecture ( OS, Software etc) . This will fit my needs and decrease logs. Am I Right? BUT...for example, I have a lots of alerts of SQL slammer Worms but there is no accept rule on the firewall. So I know that the firewall will block them. It's a evidence for me that I shouldn't pay attention to this attack. This attack will not go in the internal network, but is it interesting to keep track of this as an information about possible intruders? Should it be considered as noise like scan and so on ? ( too much data to be manageable) Is it simply a scan attack so not necessarily against us and not really relevant ?
This is an old problem, the most significant of IDS. The most modern IDS place side by side standard IDS with systems of network/ services/OS discoverers and vulnerability assestment. With correlation and event contextualization you can strongly reduce false positive which make log reading easier. These software take the name of "target-based IDS" conied by Martin Roesch in 2000. You can read the discussion about target-based IDS in list archive: http://seclists.org/lists/focus-ids/2004/Jan/0044.html and here: http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art540,00.html http://searchsecurity.techtarget.com/searchSecurity/downloads/ FinalSnyder_12804.ppt and if you know italian language http://www.madlab.it/slides/ids_hkm04.pdf :) see you Embyte -- bash$ :(){ :|:&};: Computer Science belongs to all Humanity! Icq uin : #48790142 Gpg key fingerprint : 103E F38A 9263 57BB B842 BC92 6B2D ABFC D03F 01AA --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Need help to choose a security policy CEDRIC CASSIN (May 06)
- RE: Need help to choose a security policy Omar Herrera (May 06)
- <Possible follow-ups>
- RE: Need help to choose a security policy CEDRIC CASSIN (May 07)
- RE: Need help to choose a security policy Omar Herrera (May 10)
- Re: Need help to choose a security policy embyte (May 14)
- RE: Need help to choose a security policy CEDRIC CASSIN (May 10)