Firewall Wizards mailing list archives
Re: how to do intrusion detection right
From: "Paul D. Robertson" <proberts () clark net>
Date: Wed, 15 Apr 1998 19:14:50 -0400 (EDT)
On Wed, 15 Apr 1998, Marcus J. Ranum wrote:
Paul D. Robertson wrote:1.3) The more adept ones will filter the alerts through some sort of engine to decide which ones reach their pager. In some environments this could be a very good thing. 1.4) Others will learn which alerts mean "hit erase" and which ones mean "grab the Palm Pilot and ssh in".In other words, the administrator will apply site policy to the IDS by building a filtering layer on top of its alert mechanism. That will be based on the administrator's knowledge of site policy and local risk/threat posture. We're 100% agreed. But what what I am saying is that the IDS should be able to permit that tuning directly, by getting that information from the administrator so the IDS can tailor its behavior to what it has been told is acceptable/unacceptable/interesting about the network it's watching.
Right, but what I'm saying is that, and I failed to clearly state it because I was too busy making witty 6 year-old comments ;), is that this is better done at the administrator level in some cases. A learning admin needs to be able to learn what's "good" and "bad", and as a network changes, the IDS' filters won't get updated, the human ones may. While certainly there are people who will lose their tolerance over time and hit "delete" every time, there are also people who will want to adjust their thresholds in real-time. This may or may not be possible at the IDS (How much change do you expect on a security-critical machine, I like little because it makes changes auditable). While it may run counter to what's ultimately marketable, I would really prefer to set my own thresholds and adhere to them. If I knew a new attack came out this morning, and I was off-site, there may be an alert that I'd now want that was in the "hit delete" catagory last night. I tend to syslog *.debug quite often, and then grep those logs for what I'm really after because I can always go back if I have the data, but if I never log it, its lost forever. I consider some alerts to be in the same vein, and my tolerence is probably farily high for a little inconvenience because I think the risk/reward scenerio is higher than doing it the other way around. If I'm never alerted, I don't know something happened. Now if your system follows BUGTRAQ, *security, comp.security.*, etc. changes its thresholds, I'm ready to buy. Until then I prefer to do most of my filtering manually. But then I handle e-mail the same way, I've got procmail, but it's only used for the corsest functions, not for everyday sorting. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- how to do intrusion detection right Marcus J. Ranum (Apr 14)
- When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- Re: how to do intrusion detection right Paul D. Robertson (Apr 15)
- Re: how to do intrusion detection right Martin W Freiss (Apr 16)
- Re: how to do intrusion detection right George J. Dolicker (Apr 17)
- Re: how to do intrusion detection right Nicholas Charles Brawn (Apr 18)
- Re: how to do intrusion detection right Sheila Or Bob (depends on who is writing) (Apr 18)
- Re: how to do intrusion detection right Marcus J. Ranum (Apr 15)
- <Possible follow-ups>
- RE: how to do intrusion detection right Gary Crumrine (Apr 20)