Firewall Wizards mailing list archives
Re: When to do something about detected attacks (was Re: how to do...)
From: "Sheila Or Bob (depends on who is writing0" <shsrms () erols com>
Date: Wed, 15 Apr 1998 19:57:21 -0400
Hi Dan! d wrote:
I was going to lurk, but no sooner do I sign up, someone says... <<snip>> It'd be hard to think of a reasonable sounding statement about security that I disagree with more - "If you don't know what you will do with data, don't collect it." I apologize if someone has already discussed this, but... One of my biggest criticisms of IDS's, security scanners, and security programs in general is that they look for security problems, rather than gathering information and process it with a security mindset. The problem, as I see it, is that people try to solve the problem by knowing what the answer is before they start... and sure enough, they get their answer (if fortunate), but learn zero, and the tool generally turns out to be very limited, and worse yet, stays that way. SNIP to save bandwidth<<
Ahhh! you coerced me out of lurk mode! One of the ongoing discussions I had with a coworker concerned how you develop a profile - a user profile, a system profile. a network profile, as a means of determining what "normal" behavior is. We talked about using a content addressable memory type of approach. But first we had to gather data - in an attempt to find a norm. Gathering data was a key point - we could not say what was relevant! We needed it all. We figured that if we looked at the data thru different "filters" we might find our interpertation of the data would change as we figured out what to look for. We figured we needed to keep data around for awhile, maybe a long while. We would be able to go back and look for nuggets in the data. Is this forensics? Is this IDS? I think so !! But maybe I am just a pack rat, with my uVaxen and PRO 380! But, it sure sounds like data mining. Can we apply "data mining" techniques with some sort of security policy filter to the data we capture for an IDS? I think so. I think some products can do this.
From my perspective, the points raised in this IDS discussion have been
great! Keep it up!! thanks! bob -- real address is shsrms at erols dot com The Herbal Gypsy and the Tinker.
Current thread:
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Aleph One (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) tqbf (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 20)
- <Possible follow-ups>
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 22)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)