We gotcha covered Frank. You get an alert by default (that is, a visual queue in the UI). If you want an alarm for new hosts, have at it. It's a simple change to the default zone policy config.
On 9/3/05 7:58 AM, "Frank Knobbe" <[EMAIL PROTECTED]> wrote: > On Tue, 2005-08-30 at 18:02 -0400, Adam Powers wrote: >> This is why most of today's *successful* anomaly detection technologies >> incorporate a learning or "behavioral" component that overcomes this kind of >> problem. Take StealthWatch for instance. When a new DNS server comes online, >> StealthWatch looks at the flows being generated by the server, figures out >> what the server is and how it's behaving, then applies the appropriate >> algorithms given the contextual awareness of the server's learned behaviors. >> >> In a nutshell: >> >> 1. New host detected. >> 2. Let's watch it for a bit and figure out what it's up to. >> 3. Now that we know what the machine is and does, apply the proper anomaly >> detection techniques to the traffic generated by the host. > > uhm... then I would rather not use Stealthwatch. If a new host comes > online, I'd like to receive an alert on that. Also, letting the IDS > guess what is normal may be suboptimal. For instance, if a host is > hacked and starts an FTP server on a new IP address the hacker assigns > (new host), the IDS will watch the FTP traffic of the pubstro and then > consider it normal. Except that it isn't :) > > So having an IDS accept a new host and consider it's traffic normal > without any sort of alerts of user intervention can hardly be considered > a "successful" IDS. > > Regards, > Frank > -- Adam Powers Director of Technology Lancope, Inc. c. 678.725.1028 e. [EMAIL PROTECTED] ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
