Re: Intrusion Detection

["Marcus J. Ranum" <mjr () nfr net>]

Aleph One wrote:
> >      To me the big open question in ID is "why?" not "what?"
>
> Because if you do not alert the user that he is under attack by the
> attacks that you can detect and evade he will never know when the hacker
> moves on to some new attack your gizmo does not know about yet. 

That's what I'm talking about. IDS' useful role is as a backstop
against intrusions that have succeeded, not as frontal armor against
known attacks which (most likely) won't succeed. Note that most of
the current IDS products on the market are the "frontal armor" type.

I guess I'm doing a lousy job of explaining myself (chalk it up to
fatigue) -- the place where IDS are valuable is as automated tools
to do what Ches used to call "Tar Babies" -- traps and alarms that
are scattered within the network, to call attention to the presence
of unusual activity. This DOES NOT mean that they'll catch the attack
based on the attack technique used!!

I'm going to have a decent dinner and see if I can post a decent
description of what I'm talking about later this evening.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr