Re: a novice question.

[kjarvis () iss net (Keith R. Jarvis)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Robert Graham wrote:
> --- "RajKumar S." <raj2569 () yahoo com> wrote:
> > since the performance of an IDS system can be
> > improved if the number of attack signature can be reduced. 
>
> This is generally a myth: reducing the number of attack signatures will rarely
> have any effect on purformance.

This is a good point and I'm glad someone made it. In fact a number of IDS's will 
detect a disabled signature but trash the event before it reaches the console or 
log/DB since its such a negligible performance hit.

Another situation that argues against disabling signatures or auto-configuring 
the IDS like NetProwler or Arms are attacks from your network to another. If you 
don't have any Solaris machines on your network and disable, say, ttdb and cmsd 
decodes on your IDS, are you not interested if an attacker compromises a machine 
on your network and begins mass exploiting competitor.com with these attacks?

Obviously if you only have enough CPU to watch your systems then first things 
first, but its an unfortunate compromise.

- --krj

-- 
Keith R. Jarvis (kjarvis () iss net)             http://xforce.iss.net
Internet Security Systems, Inc.               +1-678-443-6149 (direct)
Adaptive Network Security for the Enterprise  +1-678-443-6479 (fax)
ISS Connect 2000       March 19-24, 2000      http://connect.iss.net