2001-10-15-08:24:04 Veselin Mijuskovic:
> The sole purpose of an Intrusion Detection System is to
> detects intrusions to the system it is protecting.

There's another purpose, so very closely related that it seems to
have gotten inescapably tied to the acronym "IDS": to detect (and
report, and archive for subsequent forensic analysis) _attempted_
intrusions.

I'm finding it valuable to distinguish that forensic role from the
front-line task of detecting actual, "interesting" (i.e. possibly
successful) attacks; designs can do a better job if they optimize
for one or the other rather than trying to do both.

An Intrusion Detection System, for setting off alarms when someone
is breaking in, works best with a very actively tuned signature
list, so that it's only looking for packets for which it will really
want to generate alarms --- that's a strategy that can work for
wire-speed IDS at modern fast network speeds without Ludicrous Speed
hardware.

An IDS for gathering and reporting trend data, and providing
forensic logs for help reconstructing attack patterns, can do its
job very usefully even if it fails to keep up with traffic bursts,
even if it can be overwhelmed. And it can do this without a lot of
brilliance and aggressive maintenance invested in tuning the
signature database down fine.

-Bennett

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7y4e4HZWg9mCTffwRAgXCAJwO637TDxJS3ppqkThzw4NcciR4kQCfWK3G
TTCa8qZM4tBPtQ6642dVBkE=
=7iNu
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]