Dailydave mailing list archives
Re: Britney and Kevin are Chaotic
From: "Andrew R. Reiter" <arr () watson org>
Date: Fri, 27 May 2005 01:07:21 -0400 (EDT)
On Thu, 26 May 2005, byte_jump wrote: :The cost of rolling out a Tripwire or Tripwire-like solution to :desktops in even a medium sized enterprise would be out of this world :compared to a couple of well placed NIDS, but I believe the two meet :different goals. : :I don't think one can rely on a NIDS to provide the level of detection :that Tripwire can, and vice versa. For example, a NIDS would not :likely detect a private, zero-day exploit against an Apache server :while Tripwire may detect the alteration of files (maybe not). I think :PaX or something like that would be more useful in that regard, but :the two would compliment each other. : :On the other hand, it's not likely that Tripwire would detect that two :desktops are acting as their own SMTP servers to send mail - though a :NIDS could. : :Again, trying to roll out something like Tripwire or PaX on an :enterprise network is next to impossible - and what do you do with all :of your Windows desktops? : :Examples of what NIDS would be useful for, in my opinion, would be: :- Detect anomalous SMTP servers on the network. :- Detect unauthorized DNS or DHCP servers on a network. :- Detect IRC traffic. :- Detect traffic above a certain threshold. :- Detect an unsolicited ICMP echo reply or other potential covert channels. : :There are other examples, but those quickly come to mind. Mmm; I love how these products exist and people are ignorant of them. : :On 5/26/05, Adam Shostack <adam () homeport org> wrote: :> :> Really? Why not tripwire a few hosts? Or wait for something bad to :> happen? :> :> Can you show me that spending on an IDS really leads to lower incident :> handling costs? (I suspect that it could, but have no data.) :> :> Adam :> :_______________________________________________ :Dailydave mailing list :Dailydave () lists immunitysec com :https://lists.immunitysec.com/mailman/listinfo/dailydave : : -- Andrew R. Reiter arr () watson org _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Britney and Kevin are Chaotic, (continued)
- Re: Britney and Kevin are Chaotic Ian Melven (May 26)
- Re: Britney and Kevin are Chaotic Rodney Thayer (May 26)
- Re: Britney and Kevin are Chaotic Steve Lord (May 26)
- Re: Britney and Kevin are Chaotic Chris Anley (May 26)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Chris Anley (May 26)
- Re: Britney and Kevin are Chaotic Adam Shostack (May 26)
- Re: Britney and Kevin are Chaotic byte_jump (May 26)
- Re: Britney and Kevin are Chaotic Holden Williamson (May 26)
- Re: Britney and Kevin are Chaotic dan (May 26)
- Re: Britney and Kevin are Chaotic Andrew R. Reiter (May 26)
- RE: Britney and Kevin are Chaotic El Nahual (May 26)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- RE: Britney and Kevin are Chaotic El Nahual (May 27)
- Re: Britney and Kevin are Chaotic joanna (May 27)
- Re: Britney and Kevin are Chaotic Ian Melven (May 26)
- Re: Britney and Kevin are Chaotic Steve Lord (May 27)