RE: IDS is dead, etc

[Laurent Demailly <dl () qualys com>]

> Because the machine can't configure itself, the flaws 
> introduced by humans can't really be eliminated. 
[...]
> The machine can't slap itself on the forehead, exclaim "DOH!!!",
> and make adjustments on the fly.

Well, it can try to detect inconsistencies and that's
(shameless but hopefully relevant plug:) what we try
to do (amongst other things) with QuIDScor:
Use information from different sources (IDS, VA) and
correlate and try to catch problems (like for instance
that the VA thinks you do not have vuln X because the
port is not open (to it, be it firewall configuration
or otherwise) but the IDS (established flag in snort)
sees for sure that there is traffic going back and forth
-> flag an alert/misconfiguration warning for the overall
system.

ps: See http://quidscor.sourceforge.net/ for more info about
the open source (bsd license) ids/va correlation project we're
working on.
(the first public release of QuIDScor was made end of July and
there is more coming (with  a much smarter correlation engine),
feedback welcome)

Laurent


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------