Re: how to do intrusion detection right

[Martin W Freiss <freiss.pad () sni de>]

> In other words, the administrator will apply site policy to the IDS
> by building a filtering layer on top of its alert mechanism. That will
> be based on the administrator's knowledge of site policy and local
> risk/threat posture.
>
> We're 100% agreed. But what what I am saying is that the IDS should
> be able to permit that tuning directly, by getting that information
> from the administrator so the IDS can tailor its behavior to what
> it has been told is acceptable/unacceptable/interesting about the
> network it's watching.

Maybe more of a philosophical point, but I miss something in this
whole discussion. We are all agreed (I think) that an IDS should issue
a warning when something "interesting" happens or the firewall has been
broached - but I do get the feeling that we do not really know what
"interesting" means.

When the administrator can tailor the IDS to unacceptable/interesting
stuff on the net, what he does is transfer his own mindset about security
to the IDS. I then have a machine that "thinks" like me, which thus alerts 
me about facts that I am already aware of - a useful thing that may save 
some work, but will not help me notice next week's bug being exploited. 

I may be stupid, but what is "interesting" is something I do not know 
before an intrusion attempt.
Tomorrow's attack may use some technique that is "obviously" safe today,
thus bypassing my (human or computer) filtering layer. Using a sufficiently
"new" technique, my firewall will probably not notice that it has been 
broached. What _can_ help me is having a complete log of everything that
has been going through the network, which I can then analyze to understand
what has happened. An intrusion analysis system, if you will - which 
so far includes a large human component.

-Martin

--
 Martin Freiss, MF194   | freiss.pad () sni de | http://www.rmi.de/~marvin
 Siemens Nixdorf, CC IT Networks, Solution Team Internet/Intranet
Half male, half e-mail.