Re: how to do intrusion detection right

[Nicholas Charles Brawn <ncb05 () uow edu au>]

Would you then not run the risk of attackers masking hostile traffic by
making it appear to look "expected"?

Nicholas Brawn

--
Email: ncb05 () uow edu au 
Nicholas Brawn - Computer Science Undergraduate, University of Wollongong.

On Thu, 16 Apr 1998, George J. Dolicker wrote:

> I think perhaps what the intrusion detection system might do is not look
> for something "interesting", but rather something "different".  Rather than
> trying to define what is a problem, define what is NOT a problem... so
> configure the IDS to smile upon traffic that is expected, and panic over
> anything else.
>
> Same principal we use in firewalling:  that which is not explictly
> permitted is denied.  
>
> G.
>
> At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote:
> > When the administrator can tailor the IDS to unacceptable/interesting
> > stuff on the net, what he does is transfer his own mindset about security
> > to the IDS. I then have a machine that "thinks" like me, which thus alerts 
> > me about facts that I am already aware of - a useful thing that may save 
> > some work, but will not help me notice next week's bug being exploited. 
> >
> > I may be stupid, but what is "interesting" is something I do not know 
> > before an intrusion attempt.
> > Tomorrow's attack may use some technique that is "obviously" safe today,
> > thus bypassing my (human or computer) filtering layer. Using a sufficiently
> > "new" technique, my firewall will probably not notice that it has been 
> > broached. What _can_ help me is having a complete log of everything that
> > has been going through the network, which I can then analyze to understand
> > what has happened. An intrusion analysis system, if you will - which 
> > so far includes a large human component.
> >
> > -Martin