On Sat, 19 Feb 2000, Bill Lavalette noc/sec Administrator wrote:
> you are right! But what the normal person does not think of, is that is
> evidence and if I'm not at that office when it gets scanned I want to be
> mailed I wont set up my network to appease a hacking tool that's crazy or
> tone one down. if the user initiating it had not gone ahead and did what he
You miss the entire point of my response; I'm not telling you tone your
tools down, I'm saying that the tools should anticipate a large scale
attack, ALWAYS. You still have the evidence - It's in your logs. The
notification, however, should be attenuated to only notify during the
onset of an attack.
> did the end result would not take place. I can limit the amount of mail
> that I receive but I choose not too. the point I'm trying to make is that
Then it's your own fault. Why not send one message and then go look at
logs?
> the pot , as a investigator of cyber crime I can tell you what you said is
> exactly becoming the more and more prevalent,
> sys admins get tired of receiving the email alerts and then disable the
> alerting I have seen it many many times and continue to see it then when a
> bad rule is found and they get in, I see scratched heads. This isn't the
<rant>
No, that's not it at all. The fact that you use the term "cyber crime" at
all indicates that you're falling prey to the current marketing hoopla of
our time. All and all it's still a system and what most of us do on a
daily basis is Network Intrusion Monitoring.
I've detected more people with an appropriate IDS than with the
mail-per-packet scenario you speak of because I was able to seperate the
signals from the noise.
"Cyber Crime" is a clever moniker thought up by the marketdroids and
personally I find the term patently stupid. It's too generalized and a way
to explain what really happens to the lay people. Cyber-anything is just
dumb. Why not say what we're doing.
It's like when everyone started calling the Internet cyberspace, because
Gibson decided to coin the term. It's not cyberspace. It's not anything.
It's just the Internet and we all sendmail/buy shit/talk on it/whatever.
</rant>
What I said isn't becoming "more and more prevelant." What I describe is
how to properly notify response teams during an attack scenario. What
happens if your IDS becomes overwhelmed with all the emails? Your IDS then
fails to identify attacks after the first one. You have to have ways of
reporting what happens, what doesn't and ways to ensure that the
monitoring system can withstand attacks itself.
> is a real life example a burglar enters a home and gives the owner a heart
> attack... he just murdered the victim. back in my days of law enforcement
> this was the example of the same argument you can argue a) he never
> intended to kill the owner just wanted the TV or b) if he didn't enter the
> home then the owner would be alive. I bring this up because it reminded me
> of that example I heard long ago..
You know, what if I was drunk and entered the home, thinking it was mine
because someone left the door open? Said person has a heart attack because
I scare them. Now, am I burglar or what? Grey-area or not, it's a poor
example of what happens on the Internet.
-john
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
