Firewall Wizards mailing list archives
Re: how to do intrusion detection right
From: Nicholas Charles Brawn <ncb05 () uow edu au>
Date: Sat, 18 Apr 1998 13:04:14 +1000 (EST)
Would you then not run the risk of attackers masking hostile traffic by making it appear to look "expected"? Nicholas Brawn -- Email: ncb05 () uow edu au Nicholas Brawn - Computer Science Undergraduate, University of Wollongong. On Thu, 16 Apr 1998, George J. Dolicker wrote:
I think perhaps what the intrusion detection system might do is not look for something "interesting", but rather something "different". Rather than trying to define what is a problem, define what is NOT a problem... so configure the IDS to smile upon traffic that is expected, and panic over anything else. Same principal we use in firewalling: that which is not explictly permitted is denied. G. At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote:When the administrator can tailor the IDS to unacceptable/interesting stuff on the net, what he does is transfer his own mindset about security to the IDS. I then have a machine that "thinks" like me, which thus alerts me about facts that I am already aware of - a useful thing that may save some work, but will not help me notice next week's bug being exploited. I may be stupid, but what is "interesting" is something I do not know before an intrusion attempt. Tomorrow's attack may use some technique that is "obviously" safe today, thus bypassing my (human or computer) filtering layer. Using a sufficiently "new" technique, my firewall will probably not notice that it has been broached. What _can_ help me is having a complete log of everything that has been going through the network, which I can then analyze to understand what has happened. An intrusion analysis system, if you will - which so far includes a large human component. -Martin
Current thread:
- how to do intrusion detection right Marcus J. Ranum (Apr 14)
- When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Martin W Freiss (Apr 16)
- Re: how to do intrusion detection right George J. Dolicker (Apr 17)
- Re: how to do intrusion detection right Nicholas Charles Brawn (Apr 18)
- Re: how to do intrusion detection right Sheila Or Bob (depends on who is writing) (Apr 18)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- <Possible follow-ups>
- RE: how to do intrusion detection right Gary Crumrine (Apr 20)