On Mon, Aug 25, 2003 at 01:56:40PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: > That's not correct, it cannot detected _new_ potentially harmful traffic. > There's quite a lot of potentially harmful traffic (stable) snort can > detect. The fact that it's not up-to-date does not mean that it's useless, > it means that it won't detect new attacks (but it will detect old attacks). > Depending on your security policy that might, or might not, be enough.
No. New attacks represent security threats. Old attacks represent curiosities, at best (i.e. have you seen any Redhat 6.2 rpc.statd attacks lately?) An intrusion detection system that can not detect known intrusions is not useful. It's dangerous in the same way that turning syslog off is dangerous: "Well, there's nothing in the logs, so the system must be fine" If you have a specific policy that allows you to only be interested in ancient attacks, good for you. We cannot expect our users to be in such a position. noah
pgpXVAqht4O5f.pgp
Description: PGP signature
