[Gllug] latest zero day Word flaw

[Bruce Richardson]

On Thu, Dec 07, 2006 at 11:52:05AM +0000, - wrote:
> About the best case for NIDS I can come up with is that it might allow
> you to retroactively see if you were compromised after becoming aware
> of a vulnerability. But even then, if Snort has a signature for an
> attack, you should know about the vulnerability associated with that
> signature, so it's a pretty weak case.

No, it isn't a weak case.  NIDS logs will tell you what actually
happened after the event, even if the targetted systems were trashed
completely.  You may know about a vulnerability and think you have
protected yourself, but you may have made a mistake; if this happens,
Snort logs may at least show you what you did wrong so that you can fix
it.

A NIDS set-up will probably also not simply be logging specific attacks
but general information that you can analyse later.  If a new attack is
discovered, you may want to go back to those logs and look for evidence
of it's having been used against you.

Skilled practitioners claim to be able to use Snort rulesets to detect
new, undocumented attacks and you could certainly use them to detect
patterns of network activity that indicated that there had been a
successful breach of security, without needing to know how it had been
done.

It's a bit like arguing against syslog because "You should know about
all the bugs and potential problems in your applications and OS and
you should have protected against them, so why have logs?"

-- 
Bruce

What would Edward Woodward do?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20061207/cdf3a91b/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug