Firewall Wizards mailing list archives

Re: Log checking?

From: Bennett Todd <bet () rahul net>
Date: Wed, 6 Oct 2004 17:14:06 +0000

(sorry about the late reply, catching up after a week away)

2004-09-30T15:24:40 Paul D. Robertson:

But, again- IDS is "known bad"- we don't get IDS signatures for
"stuff we don't know is good."


I think both anomaly analysis ("stuff we don't know is good") and
IDS (stuff we know is bad) have value to add. Anomaly analysis is
the way to catch new or one-off attacks. It's expensive, though. IDS
is very cheap, catches consequences of config errors, user
stupidity, etc., and has the additional advantage that (at least
with signature-based network IDS, e.g. snort) it identifies the
attacks detected with links to descriptions.

-Bennett

Attachment: _bin
Description:

Current thread:

RE: Log checking?, (continued)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
  - RE: Log checking? Paul D. Robertson (Oct 01)
    - RE: Log checking? Marcus J. Ranum (Oct 01)
    - RE: Log checking? Paul D. Robertson (Oct 01)
    - Re: Log checking? Devdas Bhagat (Oct 02)
  - Re: Log checking? Kevin (Oct 01)
  - Message not available
    - RE: Log checking? hermit921 (Oct 01)
- Re: Log checking? Stephen P. Berry (Oct 02)
- RE: Log checking? Mark Teicher (Oct 02)
- Re: Log checking? Bennett Todd (Oct 06)