Firewall Wizards mailing list archives
Re: how to do intrusion detection right
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 15 Apr 1998 18:17:50 -0400
Paul D. Robertson wrote:
1.3) The more adept ones will filter the alerts through some sort of engine to decide which ones reach their pager. In some environments this could be a very good thing. 1.4) Others will learn which alerts mean "hit erase" and which ones mean "grab the Palm Pilot and ssh in".
In other words, the administrator will apply site policy to the IDS by building a filtering layer on top of its alert mechanism. That will be based on the administrator's knowledge of site policy and local risk/threat posture. We're 100% agreed. But what what I am saying is that the IDS should be able to permit that tuning directly, by getting that information from the administrator so the IDS can tailor its behavior to what it has been told is acceptable/unacceptable/interesting about the network it's watching. mjr. [ :) Part of what's going on here is that I posted a bunch of arguments when I was really tired and braindamaged, and I did most of my writing using my own messed-up internal terminology and logic. :) Which was a big mistake because I've confused people or convinced them I am a nut. :) ] -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- how to do intrusion detection right Marcus J. Ranum (Apr 14)
- When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Martin W Freiss (Apr 16)
- Re: how to do intrusion detection right George J. Dolicker (Apr 17)
- Re: how to do intrusion detection right Nicholas Charles Brawn (Apr 18)
- Re: how to do intrusion detection right Sheila Or Bob (depends on who is writing) (Apr 18)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- <Possible follow-ups>
- RE: how to do intrusion detection right Gary Crumrine (Apr 20)