[Dshield] Question for all
Johannes B. Ullrich
jullrich at sans.org
Tue Feb 3 22:25:15 GMT 2004
On Tue, 2004-02-03 at 16:11, Mrcorp wrote:
> No offense, but as a company, I would not sell to my
> management that I need an entire IDS for
> Johannes. I mean I love you and all man, but that wouldnt fly...
hehe.... I am a fan of the "IDS behind FW" philosophy, in particular
if you have money for only one IDS ;-). And if you have one outside,
don't use it to send data to DShield...
There are a couple of reasons that go against an IDS outside of the
- First of all, you may be flooded by chunk and actually miss
- Then, you will likely not see any payload anyway for packets that
are dropped at the firewall. In that sense, just make sure your
firewall is logging as much as it can.
Of course, as an IDS analysis, you can never have enough data. If you
are serious, get a simple system with big disk and just log everyting at
the outside ('tcpdump -s 1460 -w /var/junk/tcpdump-YYYY-MM-DD-HH.log'),
rotate the log once an hour, and discard them once the disk fills up.
This way, you have a good packet trail for forensics if odd things
Instead of just dumping the logs, you may want to keep the headers for
old stuff for a while.
However, if you do this, please consider privacy laws! In particular if
you are an ISP or a University, you may not be permitted to log
everything that crosses the wire. In that case, you may need an IDS just
to be able to log only relevant traffic.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 837 2807 jullrich at sans.org
contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040203/188c3b82/attachment.bin
More information about the list