IDS mailing list archives
Re: ssh and ids
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 22 Jun 2004 10:11:03 -0500
On Mon, 2004-06-21 at 07:43, Gary Flynn wrote:
The Juniper/Netscreen IDP comes with a feature called Profiler that you can set to discover and alert on new port or host appearances. You set it to discover whats normal, then turn on alerting.
Before we're diving too far into the list of IDS/IPS that can profile traffic, I just want to remind everyone that a good firewall configuration does exactly that; it creates a profile and prevents unauthorized connections. It seems these days we're quick to jump to IDS/IPS systems to have them detect and prevent unauthorized and/or abnormal traffic. It seems we're forgetting that a correctly configured firewall does the same thing. It prevents backdoors into web servers, it prevents web servers to establish sessions to the outside. The IDS needs to catch those conditions where for example an attacker launches a cryptcat shell from the web server to the outside, and I agree that the IDS needs to know the normal traffic profile for that purpose. But guess what... your firewall (which is blocking said shell-shovel-attempt) can detect it as well. Not just that, it can prevent it! It seems nowadays we tend to augment lax and leaky firewalls with IPS systems when we should really go back and tighten our firewall rule sets. Now that I'm done ranting, let me ask you: How do you detect a listening port on a rooted server when no one is able to send packets to that port? (Seems like nmap would do the trick, and is cheaper than profiling IDS appliance.) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- ssh and ids Runion Mark A FGA DOIM WEBMASTER(ctr) (Jun 18)
- Re: ssh and ids Adam Powers (Jun 21)
- Re: ssh and ids Martin Roesch (Jun 21)
- Re: ssh and ids Tony Carter (Jun 22)
- Re: ssh and ids Jason (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)
- <Possible follow-ups>
- Re: ssh and ids Ron Gula (Jun 21)
- RE: ssh and ids Wozny, Scott (US - New York) (Jun 21)
- RE: ssh and ids Omar Herrera (Jun 21)
- RE: ssh and ids Matthew F. Caldwell (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)
- RE: ssh and ids Peter_Schawacker (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids David W. Goodrum (Jun 22)