IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Announcement: Alert Verification for Snort

From: Michael Stone <mstone () mathom us>
Date: Sat, 25 Oct 2003 09:39:26 -0400
On Fri, Oct 24, 2003 at 05:49:29PM -0700, Michael Sierchio wrote:

Not so, IMHO.  Attempts at intrusion are of interest, reconnaissance
is of interest 

In what way? Excluding security researchers and infowar types--focusing
on end-user consumers--what is to be done with that information? I
guarantee that right now every machine on the internet is being hit by
probes. It's a fact of life. But let's say that a small business owner
has a magic box that tells him that he's been hit by 1M scans
today--what should he do with that information? Physical world analogies
are inappropriate because in the physical world you don't have people
constantly walking by and beating on your door. Strategically, on a
large scale, accross organizations, or for certain types of
organizations, it can make sense to know about attempts. But in the
general case for the overworked, understaffed part time security team
that's the normal case that information is no more than noise.

Mike Stone


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. 
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: