Intrusion Detection Systems mailing list archives

IDS

From: stefano.maifreni () telecomitalia it (Stefano Maifreni)
Date: Thu, 11 Nov 1999 14:45:34 +0100




I'm sorry, but in my mind I had IDS Engine and Monitor on separated
machines.

How can I detect UNKOWN attacks if they are unknown ???

Thanks,
Stefano

P.S.: I don't think about computers and video game ...

-------- Original Message --------
Oggetto: RE: IDS
Data: Tue, 2 Nov 1999 16:16:25 -0800
Da: Jeff Oliver <jeff () netsentry net>
A: Stefano Maifreni <stefano.maifreni () telecomitalia it>

I think about girls, computers, beer and video games (in reverse order).
Most of the time, anyway.

As far as your other statement goes, what happens when that one machine
is
compromised?  I would think that redundancy and the ability to correlate
data are important facets of a good IDS, or for any network
installation, as
far as your resources allow.

It would be nice if people thought of intrusion detection as a process
or
set of practices, more than the running of a program to catch weird
packets
or failed logins.

From your example, since RealSecure runs on Windows, what happens when the

machine inevitably goes down?  Just hope the data shows up elsewhere?  I
think that goes for *any* environment that relies on one machine and
program
for all of its intrusion detection. 

JM2C.

Jeff 

-------- Original Message --------
Oggetto: Re: IDS: IDS
Data: Tue, 2 Nov 1999 16:51:18 +0100
Da: David Vincenzetti <vince () seclab com>
A: Stefano Maifreni <stefano.maifreni () telecomitalia it>
CC: justin.lister () csfb com
Referenze: <Pine.BSO.4.10.9911011854230.10455-100000 () bubba igloo org>
<3.0.3.32.19991101201423.007a96a0 () mail 9netave com>
<381ED18D.8DC6B981 () telecomitalia it>

Basically, Realsecure is a pattern-matching system
a-la McAfee for computer viruses.  By using Realsecure,
you can detect known attacks.  But you can NOT detect
UNKNOWN attacks, and they are exactly what you should
be afraid of.

If you need a really working IDS, one that, when
correctly configured (programmed!) according to your
network perimeter's specifications, IS able to detect
known AND unknown attacks, try NFR (http://www.nfr.com).

-----Original Message-----
From: Stefano Maifreni [mailto:stefano.maifreni () telecomitalia it]
Sent: Tuesday, November 02, 1999 3:57 AM
To: ids () uow edu au
Subject: IDS: IDS

I think the simplest solution is an IDS on a dedicated machine.

e.g.: ISS Real Secure Engine + Monitor

What do you think about ??

Thanks,
Stefano Maifreni

Current thread:

IDS kbashir () engro com (Oct 31)
- Re: IDS Emmanuel Gadaix (Nov 01)
- <Possible follow-ups>
- Re: IDS Matt Riddell (Nov 03)
  - The story of a small boy ... sealed envelops ... Max (Nov 08)
- IDS Stefano Maifreni (Nov 11)
  - Re: IDS: Jackie Chan (Nov 11)
    - Re: IDS: Marcus J. Ranum (Nov 11)
    - Network Computing IDS article Ron Gula (Nov 12)
- RE: IDS Comp (Nov 12)
  - Re: RE: IDS Ryan Permeh (Nov 18)