On Fri, Dec 08, 2000 at 09:44:50AM +0200, typo wrote:
> > What types of attacks, what specific ports, what patterns should a
> > [intrusion detection/monitoring] system like this be watching for. What
> > is the most common in attack seen today.
>
> Logically, the first step in trying to break into any system one doesn't
> have physical access to, is to find out what types - and versions - of
> services the target system is running, since the net is full of already
> made exploits for buggy software. So, the first warning of a potential
> intrusion attempt is port scanning.
Actually a IDS should not alert on "the most common attacks" because those
will happen so often you dont have the time to care for them. Same is true
for Portscans. You can log them. For some systems (like DMZ Servers) it
might also be usefull to monitor for portscans, cause this can show you
problems with the firewall.
Personally I enjoy the features of IDS Systems in parts of my network where
i want to be sure no unwanted actions occur. For example i monitor all
Connection Refused Messages in my DMZ.
I am using snort for that
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
