RE: EXAMPLE: ### xxx Canada detected a penetration attempt from 209.123.x.229. Incident# xxxx

From: batz (no email)
Date: Sat Oct 27 2001 - 17:32:17 EDT


On Fri, 26 Oct 2001, Mike Batchelor wrote:

:The problem with automated notifications to IDS alerts is that they are
:justified with faulty reasoning.
:
:He should have stopped at #1, first phrase: "I get too many security
:alerts." Well dude, configure your IDS properly. Not every spark grows to
:be a four alarm fire.

My advice regarding IDS's is that it is ridiculous to have an IDS do anything
other than alert the human responsible for that sensor, as it is
either ineffectual or dangerous to have any other automated system reliably
act upon the information IDS's provide, in their current form.
This includes strikeback, attacker notification, or any contingencies.

As an IDS collects security information, it should not have access to
perform any action other than to store, and take steps to preserve the
integrity of that information. In any reasonable security policy where
separation of duties is enforced, a sensor shouldn't be trusted to
interprate the information it collects beyond the initial alert.

I think it's irresponsible of some of the home firewall vendors to
incorporate this into their products, as I can just imagine a ddos
mail attack, where you spoof couple of packets from the network you
want to damage, and thousands of idiot scripts send mail to the
arin contact information. This may sound irate, but seriously,
I think handing users these tools with no explanation is half-assed.

Though if they used a common XML alert format and could be sent to
a single site for processing (a la aris.securityfocus), that might
be a little more sensible.

It doesn't make sense to equip users with an automated incident
reporting tool with nobody to report to.

My 1.26904 cents after exchange.

--
batz
Reluctant Ninja
Defective Technologies







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD