Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

The usefullness of IDSes (Was: Re: Is Marty Lying?)

From: Peter Busser <peter () trusteddebian org>
Date: Tue, 23 Sep 2003 08:35:53 +0200
Hi!


"Detect intrusions" - if you can set an IDS signature for something, then
you shouldn't be vulnerable to it.  So the functionality of IDS is to tell
you when you've been compromised by six-month old public vulnerabilities
that dvdman has finally gotten his hands on an exploit for, that you never
bothered to patch for?

Useless.


And what if you use an IDS for checking a security policy? E.g. if you have a
special server that is only used by the accounting department and you set up
rules to detect connections to that server coming from other departments?

Or to monitor port scanning probes on the network. A system shouldn't be
vulnerable to a probe. But it could mean the prelude to an attack.

Of course these things could be detected by other means as well.

Groetjes,
Peter Busser
-- 
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: