Re: IDS is dead, etc

["maz" <maz () short-b us>]

I personally don't care about malicious traffic that doesn't do any harm.
The majority of my outside IDS (outside the firewall) alerts I consider
false positives, due to them not getting through patches or the firewall.
The policy monkeys here care about it so I log them.

I really only pay attention to the internal IDS modules I have installed.  I
want to know when my users create alerts so I can have them reprimanded for
what ever they did, or if they stupidly opened up something on their desk
tops.

As for older vulnerabilities that I know are completely patched against, I
wish I could ignore the alerts completely, or turn off the signatures.  Try
telling that to a policy maker, they want everything done to the "t" and
don't even know why or how.

Regards,


----- Original Message ----- 
From: "Paul Schmehl" <pauls () utdallas edu>
To: <focus-ids () securityfocus com>
Sent: Wednesday, August 06, 2003 7:39 AM
Subject: Re: IDS is dead, etc


: --On Tuesday, August 05, 2003 13:11:37 -0400 "David W. Goodrum"
: <dgoodrum () nfr com> wrote:
: >
: > One, provide the customer with more information (i.e. I see nimda
: > alerts, but it also says that the dest OS is RedHat, therefore the end
: > user can ignore it).
:
: This brings up what I guess is a philosophical question.  Why would you
: want to know about Nimda attacks against your servers?  If you're properly
: secured, they won't have any effect.  And if you're not, you'll know about
: them soon enough.
:
: I've altered all these types of rules to alert me when a host *inside* our
: network is infected.  Now *that* I want to know about.  To me, Nimda/Code
: Red/Slammer attacks from the outside are just part of the background noise
: of the Internet.
:
: Am I wrong to think this way?
:
: Paul Schmehl (pauls () utdallas edu)
: Adjunct Information Security Officer
: The University of Texas at Dallas
: AVIEN Founding Member
: http://www.utdallas.edu
:
: --------------------------------------------------------------------------
-
: Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
:  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
:  - Automatically Control P2P, IM and Spam Traffic
:  - Ensure Reliable Performance of Mission Critical Applications
: Precisely Define and Implement Network Security and Performance Policies
: **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
: Visit us at: http://www.captusnetworks.com/ads/31.htm
: --------------------------------------------------------------------------
-
:
:


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------