Re: OT: An Idea for an IDS

To: Phillip Hofmeister <plhofmei@zionlth.org>
Cc: debian-security@lists.debian.org
Subject: Re: OT: An Idea for an IDS
From: "Volker Tanger" <volker.tanger@discon.de>
Date: Tue, 1 Jul 2003 10:22:33 +0200
Message-id: <[🔎] 20030701102233.7d0970b1.volker.tanger@discon.de>
In-reply-to: <20030630223833.GA25418@zionlth.org>
References: <20030630223833.GA25418@zionlth.org>

Greetings!

On Mon, 30 Jun 2003 18:38:33 -0400 Phillip Hofmeister
<plhofmei@zionlth.org> wrote:

> This daemon
> would then parse the log and look for suspicious things.  If it found
> something suspicious it would use regular expression to grab out
> pertinent parts of the log (say the IP address) and act on the log
> accordingly (in real time) by say dropping an IPTABLE rule down on the
> IP address.

...which is the official license to shoot yourself into the foot. What
happens if I send you a forged, suspicious packet with source-IP equal
to the IP address of your gateway router, your DNS server, your internal
system(s), ...

Because of this reason automated systems did not get much acceptance as
they were/are more a hassle than useful. Today there are only very few
systems left that still implement some automated IP-killing scheme.

Bye

Volker Tanger

--

Reply to:

Follow-Ups:
- Re: OT: An Idea for an IDS
  - From: Christoph Haas <email@christoph-haas.de>
- Re: OT: An Idea for an IDS
  - From: Lucio <lucius@lucius.it>

Prev by Date: Re: Why is proftpd always started when one update it?
Next by Date: Re: FTP servers that ban abusers?
Previous by thread: Re: Why is proftpd always started when one update it?
Next by thread: Re: OT: An Idea for an IDS
Index(es):
- Date
- Thread