Full Disclosure mailing list archives
RE: The usefullness of IDSes (Was: Re: Is Marty Lying?)
From: "Philippe Bogaerts" <xxradar () radarhack com>
Date: Tue, 23 Sep 2003 10:01:16 +0200
Hello, I totally agree. An IDS for auditing firewall or other policies can be usefull, if properly configured. I simple hate the fact that most vendors position their IDS product as an attack blocking device. The only thing they can is actually RST tcp connections (sometimes). My opnion is that is quite a simple and basic method for doing attack blocking. Gr -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Peter Busser Sent: Tuesday, September 23, 2003 8:36 AM To: full-disclosure () lists netsys com Subject: The usefullness of IDSes (Was: Re: [Full-disclosure] Is Marty Lying?) Hi!
"Detect intrusions" - if you can set an IDS signature for something, then you shouldn't be vulnerable to it. So the functionality of IDS is to tell you when you've been compromised by six-month old public vulnerabilities that dvdman has finally gotten his hands on an exploit for, that you never bothered to patch for? Useless.
And what if you use an IDS for checking a security policy? E.g. if you have a special server that is only used by the accounting department and you set up rules to detect connections to that server coming from other departments? Or to monitor port scanning probes on the network. A system shouldn't be vulnerable to a probe. But it could mean the prelude to an attack. Of course these things could be detected by other means as well. Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Is Marty Lying?, (continued)
- Re: Is Marty Lying? daniel uriah clemens (Sep 22)
- Re: Is Marty Lying? Peter Busser (Sep 22)
- Re: Is Marty Lying? Gregory A. Gilliss (Sep 22)
- Re: Is Marty Lying? security snot (Sep 22)
- Re: Is Marty Lying? pdt (Sep 22)
- Re: Is Marty Lying? Florin Andrei (Sep 22)
- Re: Is Marty Lying? Justin (Sep 23)
- Re: Is Marty Lying? Paul Schmehl (Sep 22)
- Re: Is Marty Lying? Valdis . Kletnieks (Sep 22)
- The usefullness of IDSes (Was: Re: Is Marty Lying?) Peter Busser (Sep 23)
- RE: The usefullness of IDSes (Was: Re: Is Marty Lying?) Philippe Bogaerts (Sep 23)
- RE: The usefullness of IDSes (Was: Re: Is Marty Lying?) Cedric Blancher (Sep 23)
- Re: Is Marty Lying? Peter Busser (Sep 22)
- Re: Is Marty Lying? daniel uriah clemens (Sep 22)
- Re: Is Marty Lying? Peter Busser (Sep 22)
- Re: Is Marty Lying? Shawn McMahon (Sep 22)
- Re: Is Marty Lying? Frank Knobbe (Sep 22)