Re: IDS is dead, etc
From: Frank Knobbe (frank_at_knobbe.us)
To: Bennett Todd <email@example.com> Date: Mon, 11 Aug 2003 13:58:54 -0500
On Fri, 2003-08-08 at 12:15, Bennett Todd wrote:
> I do maintain, however, that by combining tight configuration
> control with complete abstinance from known-bad software, you can
> raise the barrier sufficiently high that the attacks that succeed
> will be so wildly new and out of left field that your IDS would be
> no more help than your firewall. IDSes detect known problems;
> they're the "anti-virus scanners" of the network.
If you limit your thinking to signature based IDS's then yes. However,
anomalies, abnormal traffic, policy violations, and other "weird stuff"
*can* be detected by IDS's (if so configured), and let's you move the
detection capabilities beyond the "known stuff".
Marty brought up the point about how people use/not-use Snort. Snort
rocks because it is so configurable, as Marty said, a framework for your
custom solution (in your custom network). With Snort we can do anomaly
detection and catch a lot of "unkowns". Other IDS's may not be as
flexible, but that doesn't mean that Intrusion Detection can not detect
the abnormal things. If your IDS just acts as a network based virus
scanner, perhaps you need to take a look at some other IDS's.
- application/pgp-signature attachment: This is a digitally signed message part