Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Detection

From: Adam Shostack <adam () homeport org>
Date: Wed, 15 Apr 1998 09:12:40 -0400 (EDT)
Aleph,

        I think you're correct in that you can detect the fact that
you're under attack.  Marcus is right in that most people don't have
time to track it down and slap the script kiddie who is doing it.
I'll extend what he said and say that most people don't have the
expertise to analyze an NFR log to figure out what happened next.

Adam


Aleph One wrote:
| On Tue, 14 Apr 1998, Marcus J. Ranum wrote:
| 
| > Adam,
| > 
| >     To me the big open question in ID is "why?" not "what?"
| 
| Because if you do not alert the user that he is under attack by the
| attacks that you can detect and evade he will never know when the hacker
| moves on to some new attack your gizmo does not know about yet. Most
| attacker will move from one technique to the next until they find one that
| works.
| 
| For example, if someone portscans you and finds you are running a daemon
| for the FOO protocol in port 666 with a bug he knows about but your IDS
| does not and the IDS does not report the portscan because you don't want to
| be bothered then you have just thrown out the only clue you had that you
| may have been broken into.
| 
| Aleph One / aleph1 () dfw net
| http://underground.org/
| KeyID 1024/948FD6B5 
| Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01 
| 


-- 
Just be thankful that Microsoft does not manufacture pharmaceuticals.
Previous By Date Next
Previous By Thread Next

Current thread: