Firewall Wizards mailing list archives
Re: Intrusion Detection
From: Adam Shostack <adam () homeport org>
Date: Wed, 15 Apr 1998 09:12:40 -0400 (EDT)
Aleph, I think you're correct in that you can detect the fact that you're under attack. Marcus is right in that most people don't have time to track it down and slap the script kiddie who is doing it. I'll extend what he said and say that most people don't have the expertise to analyze an NFR log to figure out what happened next. Adam Aleph One wrote: | On Tue, 14 Apr 1998, Marcus J. Ranum wrote: | | > Adam, | > | > To me the big open question in ID is "why?" not "what?" | | Because if you do not alert the user that he is under attack by the | attacks that you can detect and evade he will never know when the hacker | moves on to some new attack your gizmo does not know about yet. Most | attacker will move from one technique to the next until they find one that | works. | | For example, if someone portscans you and finds you are running a daemon | for the FOO protocol in port 666 with a bug he knows about but your IDS | does not and the IDS does not report the portscan because you don't want to | be bothered then you have just thrown out the only clue you had that you | may have been broken into. | | Aleph One / aleph1 () dfw net | http://underground.org/ | KeyID 1024/948FD6B5 | Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 | -- Just be thankful that Microsoft does not manufacture pharmaceuticals.
Current thread:
- Re: Intrusion Detection, (continued)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Paul D. Robertson (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Aleph One (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 15)
- Re: Intrusion Detection M. Dodge Mumford (Apr 14)
- Re: Intrusion Detection emaiwald (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Marcus J. Ranum (Apr 15)
- Re: Intrusion Detection Aleph One (Apr 15)
- Re: Intrusion Detection emaiwald (Apr 17)
- Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
- Re: Intrusion Detection Marcus J. Ranum (Apr 20)