Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1998

NFR Wizards Archive: Re: how to do intrusion detection right

Re: how to do intrusion detection right

Nicholas Charles Brawn (ncb05uow.edu.au)
Sat, 18 Apr 1998 13:04:14 +1000 (EST)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Joe Ippolito: "RE: ms proxy 2.0 again"
Previous message: tqbfsecnet.com: "Re: tesrdrop attack"
In reply to: Moses, Ikoedem: "tesrdrop attack"
Next in thread: depends on who is writing: "Re: how to do intrusion detection right"
Reply: depends on who is writing: "Re: how to do intrusion detection right"

Would you then not run the risk of attackers masking hostile traffic by
making it appear to look "expected"?

Nicholas Brawn

--
Email: ncb05uow.edu.au 
Nicholas Brawn - Computer Science Undergraduate, University of Wollongong.
On Thu, 16 Apr 1998, George J. Dolicker wrote:
> I think perhaps what the intrusion detection system might do is not look
> for something "interesting", but rather something "different".  Rather than
> trying to define what is a problem, define what is NOT a problem... so
> configure the IDS to smile upon traffic that is expected, and panic over
> anything else.
> 
> Same principal we use in firewalling:  that which is not explictly
> permitted is denied.  
> 
> G.
> 
> At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote:
> >When the administrator can tailor the IDS to unacceptable/interesting
> >stuff on the net, what he does is transfer his own mindset about security
> >to the IDS. I then have a machine that "thinks" like me, which thus alerts 
> >me about facts that I am already aware of - a useful thing that may save 
> >some work, but will not help me notice next week's bug being exploited. 
> >
> >I may be stupid, but what is "interesting" is something I do not know 
> >before an intrusion attempt.
> >Tomorrow's attack may use some technique that is "obviously" safe today,
> >thus bypassing my (human or computer) filtering layer. Using a sufficiently
> >"new" technique, my firewall will probably not notice that it has been 
> >broached. What _can_ help me is having a complete log of everything that
> >has been going through the network, which I can then analyze to understand
> >what has happened. An intrusion analysis system, if you will - which 
> >so far includes a large human component.
> >
> >-Martin
> >
> 
>

Next message: Joe Ippolito: "RE: ms proxy 2.0 again"
Previous message: tqbfsecnet.com: "Re: tesrdrop attack"
In reply to: Moses, Ikoedem: "tesrdrop attack"
Next in thread: depends on who is writing: "Re: how to do intrusion detection right"
Reply: depends on who is writing: "Re: how to do intrusion detection right"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:47 CDT