Intrusion Detection Systems mailing list archives

Re: a novice question. -reply

From: Mark.Teicher () predictive com (Mark.Teicher () predictive com)
Date: Mon, 27 Mar 2000 10:43:46 -0800


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
If a signature is not enabled, it should deny the packet it recognizes or 
at the firewall or router level, anything that is not explicitly permitted 
should be denied.

/m

"Keith R. Jarvis" <kjarvis () iss net>
Sent by: owner-ids () uow edu au
03/26/00 01:07 PM

 
        To:     ids () uow edu au
        cc: 
        Subject:        Re: IDS: a novice question.

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Robert Graham wrote:

--- "RajKumar S." <raj2569 () yahoo com> wrote:

since the performance of an IDS system can be
improved if the number of attack signature can be reduced.


This is generally a myth: reducing the number of attack signatures will

rarely

have any effect on purformance.


This is a good point and I'm glad someone made it. In fact a number of 
IDS's will
detect a disabled signature but trash the event before it reaches the 
console or
log/DB since its such a negligible performance hit.

Another situation that argues against disabling signatures or 
auto-configuring
the IDS like NetProwler or Arms are attacks from your network to another. 
If you
don't have any Solaris machines on your network and disable, say, ttdb and 
cmsd
decodes on your IDS, are you not interested if an attacker compromises a 
machine
on your network and begins mass exploiting competitor.com with these 
attacks?

Obviously if you only have enough CPU to watch your systems then first 
things
first, but its an unfortunate compromise.

- --krj

--
Keith R. Jarvis (kjarvis () iss net)             http://xforce.iss.net
Internet Security Systems, Inc.               +1-678-443-6149 (direct)
Adaptive Network Security for the Enterprise  +1-678-443-6479 (fax)
ISS Connect 2000       March 19-24, 2000      http://connect.iss.net

Current thread:

Re: a novice question., (continued)
- - Re: a novice question. Keith R. Jarvis (Mar 26)
    - Re: a novice question. Keith R. Jarvis (Mar 27)
  - The TCP Flags Playground Ofir Arkin (Mar 26)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 26)
  - Re: a novice question. -reply Jackie Chan (Mar 26)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 26)
  - Re: a novice question. -reply Stuart Staniford-Chen (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 26)
  - Re: a novice question. -reply Ron Gula (Mar 28)
    - Re: a novice question. -reply Jesse Nelson (Mar 29)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 27)
  - Re: a novice question. -reply Stuart Staniford-Chen (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 28)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 28)
  - Re: a novice question. -reply Ron Gula (Mar 29)
- Re: a novice question. -reply JohnNicholson () AOL COM (Mar 28)
- RE: a novice question. -reply Meritt, Jim (Mar 29)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 29)