Re: a novice question.

[blue0ne () igloo org (Jackie Chan)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Raj,
        Yes it is true that most IDS carry all possible signatures, but
the assumption that they are all in effect at one time is undounded and
requires clarification.  When using an IDS on a network, the administrator
of the IDS normally determines what signatures to look for, and what
signatures not to look for.  Although some may argue that one should look
for all signatures to be aware of any attack, my position is that if I
turn off for instance PHF attack, knowing that my network does not contain
such an old exploit, that I will optimize the IDS.  If in the event that
someone has placed a vulnerable (and extrememly old) version of apache on
my network, it is logical to assume that you will pick up either pre
attack probes as well as other attack signatures associated with this
attacker.  It is highley unlikely that 1. someone decides to place an old
version of apache web server on the network, and 2. an attacker would look
only for that one particular exploit wihtout first probing around or
attacking other resources as well.  For those planets to be aligned it
takes one heck of an odd probability, a risk that I am ready to assume to
allow optimization of an IDS.

For further clarification on this matter and other, read the 'Generic IDS
considerations' portion of my paper on Shomiti Taps found at

http://www.secur-e.com/files/ShomitiTap.pdf

Cheers,
blue0ne
(ok, thats 4 posts to the list in 2 days, I believe I've reached my limit)
 

On Sat, 25 Mar 2000, RajKumar S. wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> -----------------------------------------------------------------------------
> hello all, 
>
> from all the mails i have been getting here i belive that all the IDS
> products have all the available attack signatures. ie even if the network
> that i use do not contain any solaris or NT my IDS s/w will check for all
> the possible exploits that can be mounted against an nt or solaris.
>
> now why is this necessary. since the performance of an IDS system can be
> improved if the number of attack signature can be reduced. 
>
> one use of having all the attack sig is that it will be possible to log
> all the possible attacks that are mounted against my network. but most of
> the time they do not cause any harm, for eg if i am runnig a server v1.8
> and it explicitly fixed a bug found in v1.7, am i required to have the
> attack sig of the bug which was fixed. what use will that sig be to me
>
> pl correct me if i got some ideas wrong
>
> raj