[Dshield] Question for all

Johannes B. Ullrich jullrich at sans.org
Tue Feb 3 22:25:15 GMT 2004

On Tue, 2004-02-03 at 16:11, Mrcorp wrote:
> No offense, but as a company, I would not sell to my 
> management that I need an entire IDS for
> Johannes.  I mean I love you and all man, but that wouldnt fly...

hehe.... I am a fan of the "IDS behind FW" philosophy, in particular
if you have money for only one IDS ;-). And if you have one outside,
don't use it to send data to DShield...

There are a couple of reasons that go against an IDS outside of the

- First of all, you may be flooded by chunk and actually miss
  important stuff.

- Then, you will likely not see any payload anyway for packets that
  are dropped at the firewall. In that sense, just make sure your
  firewall is logging as much as it can.

Of course, as an IDS analysis, you can never have enough data. If you
are serious, get a simple system with big disk and just log everyting at
the outside ('tcpdump -s 1460 -w /var/junk/tcpdump-YYYY-MM-DD-HH.log'),
rotate the log once an hour, and discard them once the disk fills up.

This way, you have a good packet trail for forensics if odd things

Instead of just dumping the logs, you may want to keep the headers for
old stuff for a while.

However, if you do this, please consider privacy laws! In particular if
you are an ISP or a University, you may not be permitted to log
everything that crosses the wire. In that case, you may need an IDS just
to be able to log only relevant traffic.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040203/188c3b82/attachment.bin

More information about the list mailing list