lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <LKEGIEEDGKCLIPEGBBJHIEEFCDAA.xxradar@radarhack.com>
From: xxradar at radarhack.com (Philippe Bogaerts)
Subject: The usefullness of IDSes (Was: Re: Is Marty Lying?)

Hello,
I totally agree.  An IDS for auditing firewall or other policies can be
usefull, if properly configured. I simple hate the fact that most vendors
position their IDS product as an attack blocking device. The only thing they
can is actually RST tcp connections (sometimes).  My opnion is that is quite
a simple and basic method for doing attack blocking.



Gr

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Peter Busser
Sent: Tuesday, September 23, 2003 8:36 AM
To: full-disclosure@...ts.netsys.com
Subject: The usefullness of IDSes (Was: Re: [Full-Disclosure] Is Marty
Lying?)


Hi!

> "Detect intrusions" - if you can set an IDS signature for something, then
> you shouldn't be vulnerable to it.  So the functionality of IDS is to tell
> you when you've been compromised by six-month old public vulnerabilities
> that dvdman has finally gotten his hands on an exploit for, that you never
> bothered to patch for?
>
> Useless.

And what if you use an IDS for checking a security policy? E.g. if you have
a
special server that is only used by the accounting department and you set up
rules to detect connections to that server coming from other departments?

Or to monitor port scanning probes on the network. A system shouldn't be
vulnerable to a probe. But it could mean the prelude to an attack.

Of course these things could be detected by other means as well.

Groetjes,
Peter Busser
--
The Adamantix Project
Taking trustworthy software out of the labs, and into the real world
http://www.adamantix.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ