Re: Statistical Anomaly Analysis? (was: a bunch of things)
From: Josh Gray (grayjr@cerias.purdue.edu)Date: 03/18/02
- Previous message: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- In reply to: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- Next in thread: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- Reply: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Mar 2002 01:29:44 -0500 To: John S Flowers <jflowers@well.com> From: Josh Gray <grayjr@cerias.purdue.edu>
John S Flowers wrote:
> You said, " Basically my point is that your IDS is what you make of it.
> If you're tired of seeing the same alerts every day then disable them."
>
> The stated purpose of an Intrusion Detection System is to detect an
> intrusion on your network environment. If any IDS cannot do this - the
> task it was specifically designed to perform - I would say it is both
> incorrectly named and also totally useless.
Thanks for the definition...so you're saying that if someone never
updates their signatures then they aren't using an IDS?
>
>
> The notion of disabling attacks just because they annoy someone is
> completely ridiculous. It's like poking your head in the sand and saying
> "no one can see me, since I can't see them!" If someone actually cares
> about the network they're protecting, this kind of approach to security
> should be unconscionable.
>
What is the point of detecting an AIX attack when you have nothing but
windows machines on your network? Sure some people care that the attack was
attempted, but those aren't the people complaining about too many alerts.
What do
you do when you see an attack for an OS that isn't on your network? Do you
respond? If you have no intention of responding then why do you care? If you
want to keep it for whatever reason thats fine, but once again those aren't the
people complaining about too many alerts.
>
> Unfortunately, I see this attitude manifest itself every day when a
> network administrator gets a page, looks at the pager, then cradles it in
> the holster again and looks up, saying, "Just our IDS going off again..."
>
You need to get a new admin. You might want to consider some dedicated
analysts that won't just brush things off.
>
> And then said, "If you know your network really well then you can tune
> your IDS to look for things that shouldn't be happening."
>
> This, on the other hand, I completely agree with. You should be familiar
> enough with your network to tune your IDS to alert on anything that
> violates your network policy. This might be a port scan or or access to a
> sensitive server or someone using hotmail or an actual attack. In any case,
> detecting _everything_ that could be considered an intrusion is exactly
> the point of an intrusion detection system.
>
If you disagree with my suggestion about disabling alerts then how do
you expect to tune your IDS for your network? If you don't prioritize them or
disable them then how do you tune your IDS?
Josh
- Previous message: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- In reply to: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- Next in thread: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- Reply: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
