OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: False Sense of Security?
From: Jacob Martinson (jmartinsonAPERIAN.COM)
Date: Thu Nov 16 2000 - 08:48:17 CST

What is the real purpose in detecting exploit attempts? If you have a rule
(say in snort or nfr) to identify a certain exploit and you are concerned
about someone running it on you, why wouldnt you just fix the vulnerability?
There will always be a gap in time between an exploit being published and a
fix being provided (and applied), but my impression is that most people
arent this aggressive anyway.

Why would you care about a three month old exploit being run against you if
your systems are up to date? If you believe your network has machines that
are vulnerable, why would you leave it in a state where any available IDS
signatures would affect you?

It seems to me that (unless you have the resources to devote one or two
people to running a nids fulltime) time and money would be better spent
securing systems and that a network based IDS would be interesting and fun
but not necessarily as cost-effective as other things. This really only
applies to detecting exploit attempts I think. I can definitely see the
value in discovering active use of backdoors and otherwise suspicious
traffic with a nids or some kind of protocol analyzer.

Am I missing something really big here?

Jacob Martinson