Sorry, forgot to share...

-----Original Message-----
From: Ruscher, M. G.
Sent: Friday, March 30, 2001 2:52 PM
To: 'Jerry Shenk'
Subject: RE: IDS triggering (stick,snot,etc)

Thanks. "Rolling your own" IDS certainly provides the freedom to innovate
and address some of these challenges, but in the long run are not
necessarily easy to manage, configuration-ally speaking.

A concern I have is for those who either own, or market, the non-freeware
IDS's. I hope the developers of these systems e.g. ISS, CISCO, NFR, Network
ICE,..., etc. are paying attention, and are not relying on the bean-counter
mentality to keep them financially viable. There needs to more advances than
just the odd new, or improved, filter, signature or GUI bug repair once in a
while. Innovate or die... because once the snort, shadow, etc. user base
expertise becomes critical, COTS might not be as attractive and the business
case of "perceived" user-friendliness, won't be as easy to defend, or brag
about perhaps, considering the $$.

mgr

> -----Original Message-----
> From: Jerry Shenk [mailto:jasDECNS.COM]
> Sent: Friday, March 30, 2001 11:00 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Re: IDS triggering (stick,snot,etc)
>
>
> Oh, I absolutely agree that having the IDS be a little more
> intelligent
> would be nice. I'll bet it will come too. Most of the
> alerts that I get
> are obviously somebody scanning for a favorite vulnerability
> (111, 21 and
> down the line). If I'd start to see the type traffic we're
> talking about
> here, that would be valid reason for concern.
>
> Have you ever looked at SPADE - a pre/post processor for
> Snort. I have not
> worked with it but if I had unlimited time ;), I'd love to do
> it. Even on
> my limited time, I'd like to work on it. It looks like it
> will keep track
> of portscans, etc. and alert when 'necessary'. It's still a 'work in
> progress' so it might not be what we want but it looks like
> it would be
> worth looking into.
>
> -----Original Message-----
> From: Focus on Intrusion Detection Systems
> [mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Mike Ruscher
> Sent: Friday, March 30, 2001 9:57 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: Re: IDS triggering (stick,snot,etc)
>
>
> Forensics are nice, and necessary, but what action does one
> take in the
> interim. There is usually no predictable latency for the
> forensic activity,
> since it involves humans which, as we all know, have other
> fires to fight.
>
> IDS can trigger responses in near real-time; if these become
> drowned out
> somehow, or even disabled for any reason... impotence
>
> Smarter pre-filtering, post filtering, and configurable
> algorithms are the
> answer for the first line of IDS early warning defence. A
> volume logger as a
> secondary store for the forensic activity, that saves everything for a
> pretermined time window before discarding, is complementary.
> I too agree
> that it shouldn't be done all in one box. IDS should stick
> with detection,
> but support collection of certain payload data that is
> significant, or of
> interest, only when the occasion arises as decided by the IDS user.
>
> mgr
>
> Mike Ruscher, ITS Specialist I2, CSE/CST
> mgruschercse-cst.gc.ca
> Phone: +1 613 991-8040
> ED/C200
> http://www.cse-cst.gc.ca

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]