Wacky: There are two phases to an attack on a publicly accessible system:-

1. The Footprinting Phase: This is the act of determining the structure and available access to a network and what the OS, version, patch level of the server are and then what services are running, the software, version and patch level of that software. This phase is the phase that takes the most time and, in practical terms, makes the most "noise".

2. The Exploit Phase: Once properly footprinted the attacker knows about as much about your systems as you do, (ok, I'm exaggerating...<s>), and can select his tool of choice against the service he feels he can exploit. This phase is usually quite quick and is accomplished in relatively few packets. Once compromised, the "noise" it made can be quickly cleaned from the logs and the logging systems can be changed so as to not log events from the attackers machine(s).

Once hacked by a good hacker/cracker his/her activities may simply melt away into the day to day running of your system and you may never know you are owned.

That's where IDS's come in handy. If he's going to make a mistake it will probably be in the early stages of the footprinting phase when he may unleash a scan that is just noisy enough to alert the IDS. Now you can track the activity from that subnet to see what is happening. The benefit here is the pre-warning that something is about to occur. Even if he blasts away in a few seconds, finds an exploitable service, exploits it and cleans the system of evidence when you come in in the morning the warning that something occured should still be on your IDS. Even if you can't find any other evidence you can watch the box to see what happens when they come back next time and then you will have a clue as to what to do to re-protect the box.

FYI, these are the two adages I live by with regard to the security of my networks:-

1. It's not a matter of _if_ I get hacked, it's _when_!
2. It is my job as a security type to be able to recognized a future, current or prior hack and mitigate the damage.

Thus we have IDS's...... Any questions......