Re: a novice question. -reply

[blue0ne () igloo org (Jackie Chan)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
MArk, I agree with all you said except the point that you preseumably
missed from my last post.  I stated that teh monitoring of IDS should be
analagoud to a cop walking a beat, not the IDS itself.  The people in
charge of the IDS should gain such an intimate knowledge about the network
inquestion, that they are aware of the slightest modification.  Obviously
the alrger the network monitored, the harder this is to become reality,
but speaking from IDS monitoring experience, I have yet to find a network
that can overwhelm me :)

blue0ne

On Sun, 26 Mar 2000 Mark.Teicher () predictive com wrote:

> Yes, but most IDS systems do not have that check in their common 
> vulnerability/attack signature data files.  DG-UX is also another one that 
> is not covered by itself, but lumped together with the common Sendmail 
> DEBUG/WIZ attack vulnerability.  HP Sendmail and DG-UX implementation of 
> Sendmail have some nuances/vulnerabilities one must manually check for. 
> There are not many saavy sys mongers out there that still remember those 
> two vendor versions of Sendmail.  Trust issue??  Sendmail does not have a 
> switch to trust other servers, it appears that the other servers may have 
> other problems as well. 
>
> DG-UX and HP Sendmail versions still exist, the last version I observed 
> was in 1997, at a large aircraft company.  The recommendation was for 
> Sendmail to removed from the system.  The server's purpose was not to 
> forward mail but to process large cad/cam drawings.  So the recommendation 
> was to remove the SendMail binaries and daemons from the system, instead 
> of pointing out to the customer, they should upgrade to the latest and 
> greatest version of Sendmail.
>
> This is where skills in working with an organization and understanding 
> each servers purpose and providing real life advice versus what the IDS or 
> Host Scanner provides. 
>
> IDS is not analagous to a cop walking a beat, since a cop walking a beat 
> has the intelligence to make a real decision based on other factors than 
> what an IDS system may chirp about and what it is supposed to do when the 
> sysadmin sets a rule set/policy.  It really is an extra set of eyes for a 
> cop.
>
> /m
>
> Mark, in the case of HP Sendmail versions, or any sendmail versions for
> that matter, you would be surprised how many of our core industries still
> utilize old platforms that dont even use sendmail, but were part of the
> default installation, and are still vulnerable to this day.  I for one
> recently found an old version of a DG-UX implementation of Sendmail that I
> would have thought didint exist anymore.  The funny thing was, it was the
> last ditch effort, and it made the entire server farm available to me due
> to trust issues.
>
>
> This is where the security admin (if there is such a position) should
> become intimate with the network in question, constantly scanning to see
> if any new services have poped up on the network, and in an attempt to
> squash any unused or vulnerable services.  The monitoring of IDS
> definatley has to be anlagous to a cop walkin a beat.
>
> blue0ne