June 26th, 2002, 02:52 PM
Crying wolf: False alarms hide attacks
Interesting article about a big IDS test .
Crying wolf: False alarms hide attacks.
Eight IDSs fail to impress during the monthlong test on a production network.
Read the full article here
June 26th, 2002, 03:20 PM
Interesting article, thanks for the reference.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
June 27th, 2002, 02:43 AM
I think this article mentioned but then glossed over a very important point. You can't just expect to drop an IDS into an unknown environment and expect it to perform well. That's the main reason it's so hard to compare IDS's. In order to get an IDS working properly, it takes weeks and sometimes months of tweaking to get the rulesets correct. And no matter how much your IDS costs, there's just no replacement for a knowledgeable analyst who know's his or her way around an IP header.
June 27th, 2002, 03:02 AM
Pretty nice article, thanks. Glancing over it, I think they really underscored the fact that not all IDS' are built the same... that is, many are "turnkey systems" that are so easy to operate that management might have the illusion they could do it while others are so impossible that you don't want to touch them without a security engineer and a veteran code monkey sitting in front of the thing. Furthermore, many of these systems will only detect a handle of common (or perhaps even not-so-common but easy to identify) problems but there's no way in hell to get them to do other things, particularly after new attack signatures become available (ie. within a day or two).
Also, looking at the results, I'd... well, question the person's ability/knowledge of some of the products (caveat emptor, YMMV, etc). For example, from my experience with NFR I'm fairly sure that a typical wu exploit is pretty easy to pick out of the command... but, it's not going to work unless you tell it that it should be looking for it (and the last time I had a parallel ISS box (Nov 2000), it failed to see both a typical IIS vulnerability as well as WU-FTP exploits (our own host-based IDS picked up the attempts, however)).
But not surprising... a well-configured SNORT box probably out-did them all... as they say, you HAVE to know the environment you're dropping an IDS in to... yet soooooo many people seem to completely gloss over that very important idea.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
June 27th, 2002, 03:57 AM
This confirms my post in another thread about the BSA (Business Software Alliance) tell the gov there is going to be a major attack. Yeah a major buy our software attack to prevent intrusions $$$. Remeber the billions spent on Y2k another non event BSA announced. Good firewall clear understand of it and ports you should be safe yes maybe a thing here or there, but throwing money into more software for already security riddled OS's solves nothing. Bloated code and the cabnet stereo concept of M$ proves it over and over again.
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg