[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IDSFirewall "koolaid" ;] "Re: [m0n0wall] Re: m0n0wall + Snort"
 Date:  Wed, 22 Jun 2005 08:13:26 -0400
On 6/22/05,   <googl3meister at gmail dot com> wrote:
> > Then since you don't allow anything inbound, you're just doing it for
> > the sake of seeing what's out there because you're curious.  That's
> > much different than relying on it for detecting intrusions.  You're
> > just using it as a Internet Crud Detector. (how about a new acronym,
> > ICD!)  :)   You aren't going to detect any intrusions because you
> > aren't allowing any of that traffic in.  A simple ICD is fine for the
> > sake of the curious, but if you actually want to detect intrusions,
> > it's of little value.
> >
> I'm sorry but that's just not true - I still use it to get out...  I'm
> sorry, but you don't appear to have much commercial experience with
> snort.

I have plenty of commercial IDS experience, including Snort.  You're
missing my point.  If you're dropping all inbound traffic, as you
said, you *aren't* detecting intrusions!  There can't be any!!  (at
least in the traditional inbound from the Internet sense)  You're
detecting crud on the Internet that can't possibly hurt you.