Firewall Wizards mailing list archives
Re: Log checking?
From: Bennett Todd <bet () rahul net>
Date: Wed, 6 Oct 2004 17:14:06 +0000
(sorry about the late reply, catching up after a week away) 2004-09-30T15:24:40 Paul D. Robertson:
But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we don't know is good."
I think both anomaly analysis ("stuff we don't know is good") and IDS (stuff we know is bad) have value to add. Anomaly analysis is the way to catch new or one-off attacks. It's expensive, though. IDS is very cheap, catches consequences of config errors, user stupidity, etc., and has the additional advantage that (at least with signature-based network IDS, e.g. snort) it identifies the attacks detected with links to descriptions. -Bennett
Attachment:
_bin
Description:
Current thread:
- RE: Log checking?, (continued)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)