IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Network IDS

From: Mark Teicher <mht3 () earthlink net>
Date: Thu, 28 Aug 2003 05:15:17 -0600
Again off the beaten path, your description below is a HoneyPot, not an IPS

/m

At 01:15 PM 8/27/2003, Frank Knobbe wrote:


On Tue, 2003-08-26 at 13:53, Andreas Krennmair wrote:
> How is your system protected when the exploit succeeds and is detected
> by the NIDS? Your system is compromised. The only thing where NIDS could
> be interesting is to record all attacks and to separate the known
> exploits from the unknown ones. That is, IMHO, the only really useful
> way NIDS could be used.


Another idea you could use this for is automated containment of
intrusions. Yeah, your box may be hacked by the time the IDS analyzes
the packet, but the reaction (i.e. firewall config) can be done to
automatically isolate that box so that the hacker can't get in or worms
break out. Same thing you would do by hand, except the IDS does it for
you much faster and at 4am when you're not there.

Cheers,
Frank




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com 
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: