Re: IDS is dead, etc

From: Frank Knobbe (
Date: 08/11/03

  • Next message: Eric Knight: "Processing time and IDS traffic"
    To: Bennett Todd <>
    Date: Mon, 11 Aug 2003 13:58:54 -0500

    On Fri, 2003-08-08 at 12:15, Bennett Todd wrote:
    > I do maintain, however, that by combining tight configuration
    > control with complete abstinance from known-bad software, you can
    > raise the barrier sufficiently high that the attacks that succeed
    > will be so wildly new and out of left field that your IDS would be
    > no more help than your firewall. IDSes detect known problems;
    > they're the "anti-virus scanners" of the network.

    If you limit your thinking to signature based IDS's then yes. However,
    anomalies, abnormal traffic, policy violations, and other "weird stuff"
    *can* be detected by IDS's (if so configured), and let's you move the
    detection capabilities beyond the "known stuff".

    Marty brought up the point about how people use/not-use Snort. Snort
    rocks because it is so configurable, as Marty said, a framework for your
    custom solution (in your custom network). With Snort we can do anomaly
    detection and catch a lot of "unkowns". Other IDS's may not be as
    flexible, but that doesn't mean that Intrusion Detection can not detect
    the abnormal things. If your IDS just acts as a network based virus
    scanner, perhaps you need to take a look at some other IDS's.



  • Next message: Eric Knight: "Processing time and IDS traffic"