Firewall Wizards mailing list archives
Re: Recording slow scans
From: Crispin Cowan <crispin () cse ogi edu>
Date: Wed, 14 Oct 1998 02:55:04 +0000
Darren Reed wrote:
What I suspect a few people would like to see is a "FWTK-like" set of programs which Security Consultant Joe Bloggs can rip off and build back-yard IDS's from to sell to unsuspecting companies. I'm not acusing you of that but I doubt I'd hear anyone complain (except maybe those at NFR/ISS, etc).
You say THAT as if it were a bad thing. I don't see a whole lot of open-source IDS-ware floating around. On the other hand, there is a lot of commercial, closed-source IDS products out there. If there was an IDS toolkit, then open source coders could write cleaver new instruments, finte tune stuff, debug stuff, contribute enhancements back into the community ... you know, that cool stuff that open-source people tend to do if you let them. This kind of open source development model seems particularly well-suited to the IDS problem, where you have the following characteristics: * Needs lots of fine-tuning: many hands can do that in parallel * Data-dependent: different people have access to different data sources * Different information streams: IDS instruments can be inserted in lots of places, if they can find a convenient fire-alarm to pull An IDS-TK seems like a very fine thing indeed. Is there one?
Couple of problems here... (1) potential loss of revenue for X companies which make IDS products;
That's usually a problem with open source software :-)
(2) significant kernel bloat and subsequent requirements for machines;
True ... so make the IDS enhancement modular, so it can be left out.
(3) all IDS solutions are part-kernel, part-user programs;
Counter-example: Tripwire. Slow IDS, no kernel mods required. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98
Current thread:
- Recording slow scans Darren Reed (Oct 05)
- Re: Recording slow scans Paul D. Robertson (Oct 05)
- Re: Recording slow scans Stephen P. Berry (Oct 07)
- Re: Recording slow scans Marcus J. Ranum (Oct 07)
- Re: Recording slow scans Stephen P. Berry (Oct 09)
- Re: Recording slow scans Darren Reed (Oct 13)
- Re: Recording slow scans Crispin Cowan (Oct 14)
- Re: Recording slow scans Darren Reed (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 14)
- Re: Recording slow scans Adam Shostack (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 14)
- Re: Recording slow scans Darren Reed (Oct 14)
- Cisco's L2F Andy Burns (Oct 14)
- Re: Cisco's L2F Jesús Cea Avión (Oct 16)
- Re: Recording slow scans Stephen P. Berry (Oct 07)
- Re: Recording slow scans Paul D. Robertson (Oct 05)
- Re: Recording slow scans Bennett Todd (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 14)
- Re: Recording slow scans Chuck Benson (Oct 14)