Re: IDS is dead, etc

[Frank Knobbe <frank () knobbe us>]

On Fri, 2003-08-08 at 12:15, Bennett Todd wrote:
> I do maintain, however, that by combining tight configuration
> control with complete abstinance from known-bad software, you can
> raise the barrier sufficiently high that the attacks that succeed
> will be so wildly new and out of left field that your IDS would be
> no more help than your firewall. IDSes detect known problems;
> they're the "anti-virus scanners" of the network.

If you limit your thinking to signature based IDS's then yes. However,
anomalies, abnormal traffic, policy violations, and other "weird stuff"
*can* be detected by IDS's (if so configured), and let's you move the
detection capabilities beyond the "known stuff".

Marty brought up the point about how people use/not-use Snort. Snort
rocks because it is so configurable, as Marty said, a framework for your
custom solution (in your custom network). With Snort we can do anomaly
detection and catch a lot of "unkowns". Other IDS's may not be as
flexible, but that doesn't mean that Intrusion Detection can not detect
the abnormal things. If your IDS just acts as a network based virus
scanner, perhaps you need to take a look at some other IDS's.

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part