One of the recurring topics I have been seeing on this list is the concept
that signature-based IDS's aren't too "bright." I have an IDS built into my
firewall as my first line of defence, and the only thing that I use it for
is a place to find out more info after I know a system has been breached.
This is because I get numerous false alarms on a daily basis.

Some have suggested security layouts that include a firewall as the first
line, then an IDS, thereby filtering most false alarms before they can
trigger the IDS. I am not an expert in the security field, but I'd like to
make a suggestion that expands on this concept.

Instead of having separate layers of IDS's that don't know what the other is
doing, how about setting up multiple IDS's that communicate with one another
to trace exploits? The firewall IDS could log all exploit attempts into a
database. The second-level IDS could track all exploits and compare them to
the firewall's database. A third component could watch incomming connections
on individual systems and check these against the combined IDS's and
firewall's databases. Another component could watch for changes on
filesystems (ie tripwire), and check these changes against the common
database.

It seems to me that the obvious way to make these systems "smarter" is to
make them all work together. Does this sound right?

Kevin

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]