IDS mailing list archives

RE: IDS is dead, etc

From: Tom Arseneault <TArseneault () counterpane com>
Date: Wed, 6 Aug 2003 10:56:31 -0700

My $.02 worth...

Any particular Nimda attack if your patched does'nt mean anything, however
if the volumn of attacks rise sharply in a short time period it's time to
research as to why is going up: are you the only one seeing it? Is it a
general rise in volumn for the Internet as a whole? Is part of a signature
of some new vulnerability? That is why you care even if your patched.

Thomas J. Arseneault 
Security Engineer
Counterpane Internet Security
tarseneault () counterpane com

-----Original Message-----
From: Paul Schmehl [mailto:pauls () utdallas edu]
Sent: Wednesday, August 06, 2003 3:39 AM
To: focus-ids () securityfocus com
Subject: Re: IDS is dead, etc


--On Tuesday, August 05, 2003 13:11:37 -0400 "David W. Goodrum" 
<dgoodrum () nfr com> wrote:


      One, provide the customer with more information (i.e. I see nimda
alerts, but it also says that the dest OS is RedHat, therefore the end
user can ignore it).


This brings up what I guess is a philosophical question.  Why would you 
want to know about Nimda attacks against your servers?  If you're properly 
secured, they won't have any effect.  And if you're not, you'll know about 
them soon enough.

I've altered all these types of rules to alert me when a host *inside* our 
network is infected.  Now *that* I want to know about.  To me, Nimda/Code 
Red/Slammer attacks from the outside are just part of the background noise 
of the Internet.

Am I wrong to think this way?

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

Re: IDS is dead, etc Burak DAYIOGLU (Aug 05)
- Re: IDS is dead, etc Martin Roesch (Aug 05)
- Re: IDS is dead, etc David W. Goodrum (Aug 05)
  - Re: IDS is dead, etc Paul Schmehl (Aug 06)
    - Re: IDS is dead, etc Bennett Todd (Aug 06)
    - Re: IDS is dead, etc maz (Aug 07)
    - Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- <Possible follow-ups>
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
  - RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
  - Re: IDS is dead, etc Sebastian Schneider (Aug 07)
  - Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
    - Re: IDS is dead, etc Bennett Todd (Aug 08)
    - Re: IDS is dead, etc Sam f. Stover (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)

(Thread continues...)