hiya
i think that ids is fine..but...
- what do when someon logged in as root on a xdm login screen
- what do you do next
- what do you do when you detect a port scan...
- what do you do next
- when your host IDS detects that someone added a rootkit....
- what do you do next
- what do you do when you detect lots of telnet/ftp/web/ssh/smtp
failed connection attempts to your server
- what do you do next
- when your netowrk IDS detects that 1/2 of the websites being
viewed is going to "one of those websites"..
- what do you do next
- when your IDS ( falsely ) says you have an intruder ...
- what do you do next
- when you or your IDS notice that there is a file with all
your passwds ...
- what do you do next
- how important is the data you are trying to proetect ??
- where else is it kept...
-- you can spend lots of time on IDS... but what is accomplished
chasing after false alarms ...
- a policy that no one loggs in as root elminates lots
of internal security breaches
-- lots to do... so little time .... when doing for 10-50-100 servers
- log all traffic to a log file on a loghost server
( analyze it later ??
- "instantly" detect any changes to your root filesystems
- if someone reboots orloggs in as root...page yourself
- do a coule trivial things tht renders most script kiddies
harmless
- one machine does NOT trust any other... any breaches is
limited to that one insecure server
have fun
alvin
http://www.Linux-Sec.net/IDS -- list of IDS apps
On Thu, 20 Sep 2001, Daniel Mester wrote:
> I found big article about IDS.
> http://www.nwc.com/1217/1217f2.html
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
