[ previous ] [ next ] [ threads ]
 From:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IDSFirewall "koolaid" ;] "Re: [m0n0wall] Re: m0n0wall + Snort"
 Date:  Thu, 23 Jun 2005 08:23:04 +1000
On 6/22/05, Chris Buechler <cbuechler at gmail dot com> wrote:
> On 6/22/05,   <googl3meister at gmail dot com> wrote:
> >
> > > Then since you don't allow anything inbound, you're just doing it for
> > > the sake of seeing what's out there because you're curious.  That's
> > > much different than relying on it for detecting intrusions.  You're
> > > just using it as a Internet Crud Detector. (how about a new acronym,
> > > ICD!)  :)   You aren't going to detect any intrusions because you
> > > aren't allowing any of that traffic in.  A simple ICD is fine for the
> > > sake of the curious, but if you actually want to detect intrusions,
> > > it's of little value.
> > >
> >
> > I'm sorry but that's just not true - I still use it to get out...  I'm
> > sorry, but you don't appear to have much commercial experience with
> > snort.
> >
> I have plenty of commercial IDS experience, including Snort.  You're
> missing my point.  If you're dropping all inbound traffic, as you
> said, you *aren't* detecting intrusions!  There can't be any!!  (at
> least in the traditional inbound from the Internet sense)  You're
> detecting crud on the Internet that can't possibly hurt you.

I'm not missing any points, but just to recap:
 - I don't recall saying I ever had an IDS running as a full blown
IDS, so accusing me of not having one is kinda pointless.  I am well
aware of what I've built. I simply responded to the list with comments
from my recent experience.
 - Yes, a new ICD rule was added to snort yesterday and your emails
keep triggering it :)
 - Accusing me of not detecting anything is plain ludicrous - true I
won't be detecting any intrusions unless bugs in m0n0/snort or a
trojan makes it's way in via other means (SSL, VPN, laptop), but
otherwise I still see an enormous number of intrusion attempts on the
outside, not to mention all the other cruft.
 - What I said is that I installed snort on the m0n0 image and am
using it for RESEARCH.

The last sentence is the key.  If you have an issue with any of
that... feel free to direct to /dev/null.  IDS is always a contentious
issue, but please don't clutter the list with statements like, "You're
not detecting anything" because that is just a plain outright lie and
you should know better if you have the experience you say you have.

--no hard feelings