On Mon, 22 Sep 2003 07:04:04 PDT, security snot <booger@xxxxxxxxxxxx> said: > 1) If the intrusion were limited to a single "shellbox" then why did they > need to audit the code in CVS to see if it was backdoored? Would you rather they just said "Oh, since we *KNOW* the intrusion was only on one shellbox we won't bother looking at anything else?" It's through things like audits and system integrity checks that you establish that in fact, the intrusion did appear to be limited to one box. > 2) If the Snort developers cannot configure Snort to detect attacks on > their own networks, why are you hiring Sourcefire to install said > mechanisms on your network to protect you? Snort is only designed to catch certain things. As far as I can tell, at the time of the intrusion, said attack wasn't recognized as being in the problem space. Maybe they're hiring Sourcefire because they recognize that even though neither the people nor the product is perfect, having Sourcefire do it for them is still a better bet than trying to get it right themselves. The mechanic I take my car to isn't perfect, he admits it. Had to take my car back once because a bolt didn't get tightened down right. On the other hand, I still take my car to that shop, because it's (a) reasonably priced and (b) the guy has a better chance of rebuilding the carburetor on an '87 Tercel than I do. > 3) Why the fuck do people still thing signature-based IDS is worthwhile? Just because a signature-based IDS doesn't catch 100% of anything doesn't mean it's not worthwhile. Why the fuck do people still think police are worthwhile, they only catch 95% of the criminals? Why the fuck do people still think having an independent accounting firm look over the books is worthwhile, they only find the embezzlers 95% of the time?
Attachment:
pgp00058.pgp
Description: PGP signature