NOTE: All opinions are my own and in no way reflect the views of my employer.
Actually, the capabilities you describe as coming in the next 4 or 5 years for IDS are here or coming in the next year for central monitoring consoles. By implementing it in a sensor-neutral system you can implement a solution that performs the confidence evaluation using detection tools that are best-of-breed (as cliche as that line is) for their specific technique- protocol analysis, traffic analysis or straight signature matching. Toby > -----Original Message----- > From: Marcus J. Ranum [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, March 06, 2002 4:01 PM > To: Mark Crosbie; Carr, Aaron [CNTUS] > Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: IDS that retaliates. > > > Mark Crosbie wrote: > >What good does retaliation really get you though (apart from a whole > >load of legal headache)? Wouldn't "recovery" be a better goal to aim > >for? > > We've often gotten requests for "firewall reconfiguration" or > other types > of "reaction" - what's interesting to me is that all these requests: > - reaction > - retaliation > - repair > will be limited by the degree of certainty the IDS is able to > achieve. If > you've got a 100% accurate diagnosis of the attack and its source then > you _might_ be able to take some steps. If it's not 100% accurate then > things start to go rapidly downhill. :) I think that in the > next 4 or 5 years > we'll see IDS getting close to being able to do such things > but before we > get there, you'll see: > - IDS correlation of significance: mapping events > against types of > attacks against types of targets and re-prioritizing their > significance. > - IDS indication of confidence level: IDS will start > to associate a > confidence value with an alert instead of just a > severity. This is an > "oh, DUH!" that a lot of us security guys have had > recently: the > severity of the problem is _not_ the same as the > IDS' confidence > of its diagnosis. > - Establishment of mapping between significance > (operationally set) > of targets versus reactions. > > Heck, I'd like my system not to retaliate or reconfigure but > to fix itself. :) > > ALERT: SYSALERT, Severity=10, Confidence=10 - your system was > vulnerable to attacks that are being launched against it. OpenBSD > has automatically been installed replacing the copy of Linux that was > on it... > > :) > > mjr. >