Re: how to do intrusion detection right

["Marcus J. Ranum" <mjr () nfr net>]

Paul D. Robertson wrote:
> 1.3) The more adept ones will filter the alerts through some sort of 
>     engine to decide which ones reach their pager.  In some environments
>     this could be a very good thing.
>
> 1.4) Others will learn which alerts mean "hit erase" and which ones mean 
> "grab the Palm Pilot and ssh in".  

In other words, the administrator will apply site policy to the IDS
by building a filtering layer on top of its alert mechanism. That will
be based on the administrator's knowledge of site policy and local
risk/threat posture.

We're 100% agreed. But what what I am saying is that the IDS should
be able to permit that tuning directly, by getting that information
from the administrator so the IDS can tailor its behavior to what
it has been told is acceptable/unacceptable/interesting about the
network it's watching.

mjr.
[
:) Part of what's going on here is that I posted a bunch of
arguments when I was really tired and braindamaged, and I did
most of my writing using my own messed-up internal terminology
and logic. :) Which was a big mistake because I've confused
people or convinced them I am a nut. :)
]
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr