Re: IDS is dead, etc

From: Frank Knobbe (
Date: 08/11/03

  • Next message: Eric Knight: "Processing time and IDS traffic"
    To: Bennett Todd <>
    Date: Mon, 11 Aug 2003 13:58:54 -0500

    On Fri, 2003-08-08 at 12:15, Bennett Todd wrote:
    > I do maintain, however, that by combining tight configuration
    > control with complete abstinance from known-bad software, you can
    > raise the barrier sufficiently high that the attacks that succeed
    > will be so wildly new and out of left field that your IDS would be
    > no more help than your firewall. IDSes detect known problems;
    > they're the "anti-virus scanners" of the network.

    If you limit your thinking to signature based IDS's then yes. However,
    anomalies, abnormal traffic, policy violations, and other "weird stuff"
    *can* be detected by IDS's (if so configured), and let's you move the
    detection capabilities beyond the "known stuff".

    Marty brought up the point about how people use/not-use Snort. Snort
    rocks because it is so configurable, as Marty said, a framework for your
    custom solution (in your custom network). With Snort we can do anomaly
    detection and catch a lot of "unkowns". Other IDS's may not be as
    flexible, but that doesn't mean that Intrusion Detection can not detect
    the abnormal things. If your IDS just acts as a network based virus
    scanner, perhaps you need to take a look at some other IDS's.



  • Next message: Eric Knight: "Processing time and IDS traffic"

    Relevant Pages

    • RE: Detecting trojans on random ports with encrypted traffic...
      ... Isn't this similar to what SPADE does in snort? ... >>> Intrusion Detection does not have to rely on signatures ... >>> detect connections from and to ports that you normally ... >>> counting any connections that are normal like virus scanner ...
    • Re: Obfuscated shellcode
      ... quite correct of course that this type of thing should be included in a pentest. ... Intrusion Detection Specialist ... a while since I've ran a snort NIDS. ... NOP Equivalent opcodes for shellcodes - Canonical List ...
    • Re: Calendarix <= 0.7 (calpath) Remote File Inclusion Vulnerability
      ... # hardcode it if detection does not work and comment out the remaining ... still looks like an invalid report. ... to the first beta release, and $calpath ... all modifications and configuration had to be safe. ...
    • [Snort-users] Snort 2.0 rc1 available (fwd)
      ... This came across Snort-users, many of you probably saw it, but for anyone ... The Snort 2.0 release candidate 1 is available for your testing. ... Tons of bug fixes ... New detection keywords & ...
    • Re: Snort exploits
      ... He has given the IDS vendors several months heads up that this stuff is in the ... Odds are now that this info has gone out snort cvs will have fixes for this ... The TCP evasions are fairly easily detectable as overlaps should not normally occur. ... Similarly the IP fragmentation detection just needs slightly more rigorous ...