Re: Important Comments re: INtrusion Detection

[Craig Brozefsky <craig () onshore com>]

On Sat, 14 Feb 1998, Darren Reed wrote:

> In some mail I received from tqbf () secnet com, sie wrote
> [...]
> > However, we do not see a way in which sniffer-driven ID systems can
> > accurately detect SPECIFIC TYPES of attacks in IP traffic. We are not
> > contesting the fact that it is possible to detect traffic that is likely
> > "malicious", and we are not saying that it is impossible to detect the
> > fact that a network is being attacked. The issue is that sniffers cannot
> > isolate (most types of) specific attacks from any other type of attack.
> [...]
>
> One conclusion from this is might be that  an IDS is only truely
> possible if implemented as a proxy gateway of sorts or otherwise
> performs as a mediator of packets as a firewall might be expected
> to do.  Do you agree with this ?

I would disagree, as this conclusion would not take into account the need 
for a secondary source of information regarding the hosts which are 
possible targets.  There is a strong need for context to be able to 
identify specific attacks on hosts.  You are not given this information 
because your an application proxy vs. a packet filter.

Craig Brozefsky              craig () onshore com
onShore Inc.                 http://www.onshore.com/~craig
Programmer                   loitering on the edge