IDS mailing list archives
Re: IDS is dead, etc
From: "maz" <maz () short-b us>
Date: Wed, 6 Aug 2003 15:30:38 -0400
I personally don't care about malicious traffic that doesn't do any harm. The majority of my outside IDS (outside the firewall) alerts I consider false positives, due to them not getting through patches or the firewall. The policy monkeys here care about it so I log them. I really only pay attention to the internal IDS modules I have installed. I want to know when my users create alerts so I can have them reprimanded for what ever they did, or if they stupidly opened up something on their desk tops. As for older vulnerabilities that I know are completely patched against, I wish I could ignore the alerts completely, or turn off the signatures. Try telling that to a policy maker, they want everything done to the "t" and don't even know why or how. Regards, ----- Original Message ----- From: "Paul Schmehl" <pauls () utdallas edu> To: <focus-ids () securityfocus com> Sent: Wednesday, August 06, 2003 7:39 AM Subject: Re: IDS is dead, etc : --On Tuesday, August 05, 2003 13:11:37 -0400 "David W. Goodrum" : <dgoodrum () nfr com> wrote: : > : > One, provide the customer with more information (i.e. I see nimda : > alerts, but it also says that the dest OS is RedHat, therefore the end : > user can ignore it). : : This brings up what I guess is a philosophical question. Why would you : want to know about Nimda attacks against your servers? If you're properly : secured, they won't have any effect. And if you're not, you'll know about : them soon enough. : : I've altered all these types of rules to alert me when a host *inside* our : network is infected. Now *that* I want to know about. To me, Nimda/Code : Red/Slammer attacks from the outside are just part of the background noise : of the Internet. : : Am I wrong to think this way? : : Paul Schmehl (pauls () utdallas edu) : Adjunct Information Security Officer : The University of Texas at Dallas : AVIEN Founding Member : http://www.utdallas.edu : : -------------------------------------------------------------------------- - : Captus Networks - Integrated Intrusion Prevention and Traffic Shaping : - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans : - Automatically Control P2P, IM and Spam Traffic : - Ensure Reliable Performance of Mission Critical Applications : Precisely Define and Implement Network Security and Performance Policies : **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo : Visit us at: http://www.captusnetworks.com/ads/31.htm : -------------------------------------------------------------------------- - : : --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: IDS is dead, etc Burak DAYIOGLU (Aug 05)
- Re: IDS is dead, etc Martin Roesch (Aug 05)
- Re: IDS is dead, etc David W. Goodrum (Aug 05)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- Re: IDS is dead, etc Bennett Todd (Aug 06)
- Re: IDS is dead, etc maz (Aug 07)
- Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- <Possible follow-ups>
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
- RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
- Re: IDS is dead, etc Sebastian Schneider (Aug 07)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
- Re: IDS is dead, etc Bennett Todd (Aug 08)
- Re: IDS is dead, etc Sam f. Stover (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)