Re: [m0n0wall] IDSFirewall "koolaid" ;] "Re: [m0n0wall] Re: m0n0wall + Snort"

From:	Chris Buechler <cbuechler at gmail dot com>
To:	=?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IDSFirewall "koolaid" ;] "Re: [m0n0wall] Re: m0n0wall + Snort"
Date:	Wed, 22 Jun 2005 08:13:26 -0400

On 6/22/05, • • <googl3meister at gmail dot com> wrote:
>
> > Then since you don't allow anything inbound, you're just doing it for
> > the sake of seeing what's out there because you're curious.  That's
> > much different than relying on it for detecting intrusions.  You're
> > just using it as a Internet Crud Detector. (how about a new acronym,
> > ICD!)  :)   You aren't going to detect any intrusions because you
> > aren't allowing any of that traffic in.  A simple ICD is fine for the
> > sake of the curious, but if you actually want to detect intrusions,
> > it's of little value.
> >
> 
> I'm sorry but that's just not true - I still use it to get out...  I'm
> sorry, but you don't appear to have much commercial experience with
> snort.
>

I have plenty of commercial IDS experience, including Snort.  You're
missing my point.  If you're dropping all inbound traffic, as you
said, you *aren't* detecting intrusions!  There can't be any!!  (at
least in the traditional inbound from the Internet sense)  You're
detecting crud on the Internet that can't possibly hurt you.

-Chris