Re: IDS is dead, etc

[Paul Schmehl <pauls () utdallas edu>]

--On Tuesday, August 05, 2003 13:11:37 -0400 "David W. Goodrum" 
<dgoodrum () nfr com> wrote:
>         One, provide the customer with more information (i.e. I see nimda
> alerts, but it also says that the dest OS is RedHat, therefore the end
> user can ignore it).

This brings up what I guess is a philosophical question.  Why would you 
want to know about Nimda attacks against your servers?  If you're properly 
secured, they won't have any effect.  And if you're not, you'll know about 
them soon enough.

I've altered all these types of rules to alert me when a host *inside* our 
network is infected.  Now *that* I want to know about.  To me, Nimda/Code 
Red/Slammer attacks from the outside are just part of the background noise 
of the Internet.

Am I wrong to think this way?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------