Firewall Wizards: Re: Intrusion Detection

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Re: Intrusion Detection

From: Adam Shostack <adam () homeport org>
Date: Tue, 14 Apr 1998 09:40:46 -0400 (EDT)

shantanu bhattacharya wrote:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
| Hi,
| 
| What are the kind of Intrusions an Intrusion Detection software can
| detect? What all it cannot? Also, specify the reasons. 

        There's an upcoming conference on this very question.  I can't
find the URL offhand.

        I believe intrusion detection to be a misnomer, and that the
really useful class of software is attack detection.  Attacks (land,
teardrop, phf, password file sucking) are relatively easy to detect
with network sniffing software.  Intrusions are hard to detect with
network sniffers because, done properly, they look pretty much like
real users.  Most systems I've broken into, I get in through social
engineering. Make a few phone calls.  Log based analyzers do a better
jobs of this; they have less data to munge through, and can build up
'expected' behavior patterns.



-- 
Just be thankful that Microsoft does not manufacture pharmaceuticals.

By Date By Thread

Current thread:

Intrusion Detection shantanu bhattacharya (Apr 14)
- Re: Intrusion Detection Marcus J. Ranum (Apr 14)
  - Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection Adam Shostack (Apr 14)
  - Re: Intrusion Detection Marcus J. Ranum (Apr 14)
    - Re: Intrusion Detection Paul D. Robertson (Apr 14)
    - Re: Intrusion Detection Adam Shostack (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 14)