> From: "Mark Teicher" <[EMAIL PROTECTED]>
>
> Actually, there is more to it than that.
>
> Logging - what type of output (.gz, zip, .tar, .enc, .cap, tcpdump ...
I just said 'good logging'. Your definition of 'good' is up to you.
> 2. Hack utilities - where does one receive corporate support for hack
> utilities, unless you pay for them (i.e. L0phtcrack, ISS Security Scanner,
> Cybercop, Retina, Nessus and on and on).. Those type of hack utilities may
> or may not test for all the cgi-bin/phf variations, some IDS may not
detect
> either.
To know whether your IDS actually detects current exploits, you need to be
both aware of the current exploits and either how to test them against your
IDS or know someone else has. This is where a good mailing list about
vulnerability testing comes in handy (like the discussion forums for Snort).
> 3. Unless your a whiz at crafting malicious or varying sized packets
loaded
> with exploits, etc
... or you have a security company monitor and keep your IDS up to date for
you who you trust. (Entirely new issue there ... )
> 4. What about application testing tools, what QoS, etc, etc.
Organizations
> are looking at IDS to be able to handle lots and lots of traffic, typical
> hack utilities do not test for that
Its not that hard to get a series of replayable logs from something like
Snort or tcpdump that you can throw at your network over and over and over
again as fast as you can ...
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
