Re: IDS is dead, etc

2003-08-08T13:24:46 Scott Wimer:
> I think we are on the same page as to the utility of IDS systems.

Agreed.

> Where we differ is in our estimation of the level of vulnerability of

I'm not convinced this is true. I feel that you're putting words in my mouth. Unless I'm misunderstanding you, you seem to be responding to a claim that one can have perfectly secure software. I've not made such a claim, and will stand beside you refuting it. Perhaps once again my poor choice of words in that initial statement "perfect firewall" is biting me.

> The number of systems that are backdoored -- today, and the number

Sure --- but unless the black hats are the folks selling the IDSe, the IDSes won't catch these secret exploits anyway.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Although, some will argue that the more behavioral oriented NIDS

I've heard of one device that I can believe can alert on a heretofore totally unknown exploit. Not all of 'em, of course, but some. That's Mazu Networks's enforcer/profiler gizmos. I myself wouldn't call 'em an IDS, I think they're something different, much more valuable, and their IDS functionality is the smallest part of what they're good at. To my tastes, their host classification and "what-if" modelling are the really hot capabilities. If they were as affordable as an IDS, then I think they'd help bolster your claim, but they really are something else and different.

IDSes detect known exploits, and sometimes heretofore unknown exploits of clearly known and understood vulnerabilities.

-Bennett