I agree, now lets have a cup of coffee Don
-----Original Message----- From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 30, 2002 1:15 PM To: Security-Basics List Subject: RE: Reacting to IDS alerts -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 30 May 2002, Matthew F. Caldwell wrote: > My thought is that you don't want your IDS to do this type of "analysis" > instead you do the analysis and response at a higher level (threat > analysis/correlation) in order to be more accurate. Normally I'd agree with you, but there are a certain class of attacks that are rather obvious. Users don't just "mistype" a Code Red or Nimda attack in their web browser. People don't "accidentally" spew a SunRPC buffer overflow attempt your way. And nobody "mistakenly" portscans every IP on your Class B looking for FTP servers right after another wu-ftpd exploit is posted to Bugtraq. Those are the beasts I'm talking about. The casual or infrequent boink on a given service is only of casual interest to me and I don't make a peep about it until a pattern emerges (as is normally the case with scans for SSH services and the like). > GuardedNet has created an application that does this for you, and > enables you to response via OPSEC and a number of other sources. It > also maintains a whois database with latitude and longitude plot points > so you can see where the attacks are coming from and a built in > ticketing system for handling the incidents. Neat. Only how much does it cost? In these times wherein what little security budget we get is normally tossed out to snake oil talking heads and half-assed pen-testers (rather than meaningful security solutions and clued pen-testers), a lot of us have to make due with rolling our own. I'm also of the radical mindset that, since attackers pound our systems at no charge, we should be able to aggressively defend them at the same fee structure...hence my fanatical support of Open Source stuff. And yes, I have a bad attitude. It took me a long time to get this way and I'm very proud of it. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- [EMAIL PROTECTED] ------<) | = |-' `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQE89ohGGI2IHblM+8ERAtuhAJ4q5SOqyTAGu++YOColN3f+fNe6AgCfVzLE 6ucTt59FxBULRue6GSyo3k8= =hbjS -----END PGP SIGNATURE-----
