RE: Is Marty Lying?

["Brown, Rodrick" <rbrown () doitt nyc gov>]

There are many situations where IDS's are your only audit trail long
after your system has been compromised. 

Sort of like video surveillance for network security. 

............................................
.. Rodrick R. Brown - Systems Engineer    ..
.. Open Systems Group (718) 403-6760      ..
.. Dept. of Information Technology &      ..
.. Telecommunications. http://www.nyc.gov .. 
.. 11 Metrotech Center Brooklyn NY, 11201 ..
............................................

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of security
snot
Sent: Monday, September 22, 2003 5:14 PM
To: Gregory A. Gilliss
Cc: Peter Busser; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Is Marty Lying?

"Detect intrusions" - if you can set an IDS signature for something,
then
you shouldn't be vulnerable to it.  So the functionality of IDS is to
tell
you when you've been compromised by six-month old public vulnerabilities
that dvdman has finally gotten his hands on an exploit for, that you
never
bothered to patch for?

Useless.

-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------

On Mon, 22 Sep 2003, Gregory A. Gilliss wrote:

> Peter:
>
> Intrusion Detection systems are designed to detect intrusions. Period.
> No one AFAIK has yet developed the Intrusion Prediction system. If you
> have an alpha version lying around, pls respond with a link. I'm sure
> that you will quickly be deluged with download requests =;^)
>
> Reactive is the nature of the beast, a point that has been rehashed
many
> many times here and elsewhere. No finite state machine can anticipate
or
> detect the virus that I am right now writing, unless I foolishly make
part
> of the binary match an existing sig. there will *always* be a latency
> between action and response. One of the things that people on this
list
> do is attempt to assist each other in minimizing that latency.
>
> Now, if we could only get some of the vendors onboard >-)
>
> G
>
> On or about 2003.09.22 21:23:52 +0000, Peter Busser
(peter () trusteddebian org) said:
> > Hi!
> >
> > > > 3) Why the fuck do people still thing signature-based IDS is
worthwhile?
> > > Give us another solution. Are you saying anomoly based ids
signatures are
> > > _worthwhile_?
> >
> > The problem with IDS systems is the same problem that currently
available
> > virus scanners have: They work reactive and not proactive.
> >
> > Making machines harder to break into and improve ways to enforce a
security
> > policy (e.g. by using Mandatory Access Control (MAC)) would be one
way to
> > proactively deal with security.
>
> --
> Gregory A. Gilliss, CISSP                             Telephone: 1 650
872 2420
> Computer Engineering                                   E-mail:
greg () gilliss com
> Computer Security                                                ICQ:
123710561
> Software Development                          WWW:
http://www.gilliss.com/greg/
> PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14
0E 8C A3
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html