[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] programmatic IDS routing



On Wednesday 19 March 2008 13:40:21 Steve Grubb wrote:
> On Wednesday 19 March 2008 13:12:22 Linda Knippers wrote:
> > Rather than using the key for two purposes and introducing special key
> > words, couldn't an admin just tell the IDS which he's are of interest?
> > And what the priority of each one is?
>
> The problem is that you can tell the IDS that you want any reads
> of /opt/my-secrets, but unless you have a matching audit rule you will not
> get any records. This allows you to make sure you have a watch paired with
> its meaning.

And I should add, the IDS could run on each remote system, or off an 
aggregator. This means expressing rules gets more complicated when you have 
to express rules as on this particular host, I am looking for files in this 
location. To me, its just simpler and hopefully less error prone to use the 
key field like this.

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]