IDS mailing list archives
Re: IDS is dead, etc
From: Bennett Todd <bet () rahul net>
Date: Wed, 6 Aug 2003 14:57:53 -0400
2003-08-06T07:39:28 Paul Schmehl:
Why would you want to know about Nimda attacks against your servers?
(or more generally, attacks that won't succeed) Some people _don't_ care. They need to disable the sigs they don't care about, or configure their IDS to only match those sigs against servers for which they're relevent. The limiting case of this argument says that given a really perfectly implemented firewall, you don't need an IDS at all. Some folks don't. I can easily suggest three scenarios where someone might want such alerts. (1) Suppose you've deployed your IDS on the inside edge of your firewall plant, rather than the outside. Aside from false alerts where the sig matches truly legit traffic, every alert reflects an incident. Someone set up a rogue server inside, and the malware got at it through some vector you can't protect against, e.g. a laptop that someone got infected when they hooked it up at home, then brought it in and hooked it up at their desk. This deployment scenario is also great for catching firewall config errors that inadvertently permit traffic you didn't intend. (2) Suppose you're catching this info, and analyzing it in multiple dimensions. Even if all the attacks fail, you might be able to pick up on a sudden change in the attack profiles, alerting you to someone targetting your plant in a focused attack. (3) The collected info can be helpful for building knowlege of the state of the internet. Groups like the ISACs share trending info, as well as details for analyzing new attacks. If your IDS is capturing with signatures that focus on vulnerabilities rather than on specific exploits, you can gather knowlege of new exploits as they are developed. This was a critical resource in the early analysis of Nimda, for instance. Combine (3) with a honeypot and you're getting into really juicy intelligence collection. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: IDS is dead, etc Burak DAYIOGLU (Aug 05)
- Re: IDS is dead, etc Martin Roesch (Aug 05)
- Re: IDS is dead, etc David W. Goodrum (Aug 05)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- Re: IDS is dead, etc Bennett Todd (Aug 06)
- Re: IDS is dead, etc maz (Aug 07)
- Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- <Possible follow-ups>
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
- RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
- Re: IDS is dead, etc Sebastian Schneider (Aug 07)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
- Re: IDS is dead, etc Bennett Todd (Aug 08)
- Re: IDS is dead, etc Sam f. Stover (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)