Dailydave mailing list archives

Re: Britney and Kevin are Chaotic

From: "Andrew R. Reiter" <arr () watson org>
Date: Fri, 27 May 2005 01:07:21 -0400 (EDT)

On Thu, 26 May 2005, byte_jump wrote:

:The cost of rolling out a Tripwire or Tripwire-like solution to
:desktops in even a medium sized enterprise would be out of this world
:compared to a couple of well placed NIDS, but I believe the two meet
:different goals.
:
:I don't think one can rely on a NIDS to provide the level of detection
:that Tripwire can, and vice versa. For example, a NIDS would not
:likely detect a private, zero-day exploit against an Apache server
:while Tripwire may detect the alteration of files (maybe not). I think
:PaX or something like that would be more useful in that regard, but
:the two would compliment each other.
:
:On the other hand, it's not likely that Tripwire would detect that two
:desktops are acting as their own SMTP servers to send mail - though a
:NIDS could.
:
:Again, trying to roll out something like Tripwire or PaX on an
:enterprise network is next to impossible - and what do you do with all
:of your Windows desktops?
:
:Examples of what NIDS would be useful for, in my opinion, would be:
:- Detect anomalous SMTP servers on the network.
:- Detect unauthorized DNS or DHCP servers on a network.
:- Detect IRC traffic.
:- Detect traffic above a certain threshold.
:- Detect an unsolicited ICMP echo reply or other potential covert channels.
:
:There are other examples, but those quickly come to mind.

Mmm; I love how these products exist and people are ignorant of them.

:
:On 5/26/05, Adam Shostack <adam () homeport org> wrote:
:> 
:> Really?  Why not tripwire a few hosts?  Or wait for something bad to
:> happen?
:> 
:> Can you show me that spending on an IDS really leads to lower incident
:> handling costs?  (I suspect that it could, but have no data.)
:> 
:> Adam
:>
:_______________________________________________
:Dailydave mailing list
:Dailydave () lists immunitysec com
:https://lists.immunitysec.com/mailman/listinfo/dailydave
:
:

--
Andrew R. Reiter
arr () watson org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Britney and Kevin are Chaotic, (continued)
- - Re: Britney and Kevin are Chaotic Ian Melven (May 26)
    - Re: Britney and Kevin are Chaotic Rodney Thayer (May 26)
  - Re: Britney and Kevin are Chaotic Steve Lord (May 26)
    - Re: Britney and Kevin are Chaotic Chris Anley (May 26)
    - Re: Britney and Kevin are Chaotic byte_jump (May 26)
    - Re: Britney and Kevin are Chaotic Chris Anley (May 26)
    - Re: Britney and Kevin are Chaotic Adam Shostack (May 26)
    - Re: Britney and Kevin are Chaotic byte_jump (May 26)
    - Re: Britney and Kevin are Chaotic Holden Williamson (May 26)
    - Re: Britney and Kevin are Chaotic dan (May 26)
    - Re: Britney and Kevin are Chaotic Andrew R. Reiter (May 26)
    - RE: Britney and Kevin are Chaotic El Nahual (May 26)
    - Re: Britney and Kevin are Chaotic joanna (May 27)
    - RE: Britney and Kevin are Chaotic El Nahual (May 27)
    - Re: Britney and Kevin are Chaotic joanna (May 27)
    - Re: Britney and Kevin are Chaotic Steve Lord (May 27)
- RE: Britney and Kevin are Chaotic Thomas Quinlan (May 26)
- Re: Britney and Kevin are Chaotic Matt LeGrow (May 26)
- Re: Britney and Kevin are Chaotic Matt LeGrow (May 26)
- RE: Britney and Kevin are Chaotic Gage (May 27)
- RE: Britney and Kevin are Chaotic dicktheft (May 27)