|
Firewall Wizards
mailing list archives
Re: Intrusion Detection
From: Aleph One <aleph1 () dfw net>
Date: Tue, 14 Apr 1998 16:21:45 -0500 (CDT)
On Tue, 14 Apr 1998, Marcus J. Ranum wrote:
Adam,
To me the big open question in ID is "why?" not "what?"
Because if you do not alert the user that he is under attack by the
attacks that you can detect and evade he will never know when the hacker
moves on to some new attack your gizmo does not know about yet. Most
attacker will move from one technique to the next until they find one that
works.
For example, if someone portscans you and finds you are running a daemon
for the FOO protocol in port 666 with a bug he knows about but your IDS
does not and the IDS does not report the portscan because you don't want to
be bothered then you have just thrown out the only clue you had that you
may have been broken into.
Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
 By Date 
By Thread
Current thread:
| 
Intro
