Re: Mod FWD

[Richard Jones <richard () earthmen com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------

Jackie Chan <blue0ne () igloo org> writes:

> My opinion is that if we ever plan on turning computer security from a
> black art into a science, we need to treat it as such.  And as I realized
> what Marcus was originally saying, there are quite a few people on this
> list who may be new and did not understand that there would be alerts, and
> information generated when a IP Fragment event occured.
>
> In closing, its semantics.

Not really.  How about we just add an IP Packet event, or better still
a packet event, that should cover pretty much all eventualities.  We
would now be certain we would never have a (network) attack without an
alert (assuming 0% packet loss).  Not very informative though.  That
is the problem with the "I've seen a fragment" approach.  Such
approximations can be forgiven if the traffic is truly
anomalous. However a generic event trigger based on traffic which is
usually normal is not a useful design feature. 

Richard.