Re: Britney and Kevin are Chaotic

[byte_jump <bytejump () gmail com>]

The cost of rolling out a Tripwire or Tripwire-like solution to
desktops in even a medium sized enterprise would be out of this world
compared to a couple of well placed NIDS, but I believe the two meet
different goals.

I don't think one can rely on a NIDS to provide the level of detection
that Tripwire can, and vice versa. For example, a NIDS would not
likely detect a private, zero-day exploit against an Apache server
while Tripwire may detect the alteration of files (maybe not). I think
PaX or something like that would be more useful in that regard, but
the two would compliment each other.

On the other hand, it's not likely that Tripwire would detect that two
desktops are acting as their own SMTP servers to send mail - though a
NIDS could.

Again, trying to roll out something like Tripwire or PaX on an
enterprise network is next to impossible - and what do you do with all
of your Windows desktops?

Examples of what NIDS would be useful for, in my opinion, would be:
- Detect anomalous SMTP servers on the network.
- Detect unauthorized DNS or DHCP servers on a network.
- Detect IRC traffic.
- Detect traffic above a certain threshold.
- Detect an unsolicited ICMP echo reply or other potential covert channels.

There are other examples, but those quickly come to mind.

byte_jump

On 5/26/05, Adam Shostack <adam () homeport org> wrote:
> Really?  Why not tripwire a few hosts?  Or wait for something bad to
> happen?
>
> Can you show me that spending on an IDS really leads to lower incident
> handling costs?  (I suspect that it could, but have no data.)
>
> Adam
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave