Snort up For Revamp, says Creator
A reader writes:"The creator of Snort, the open-source network-based Intrusion Detection System (IDS), says the software is up for an overhaul. Martin Roesch has told the AusCERT conference IDS has failed to impress the market, citing the inability of many to minimise the number of false alarms triggered by the monitoring devices. The next iteration will include "passive discovery" features."
While this would be cool, the nature of TCP/IP says that it will be quickly defeated. There are already programs out there that will make your Linux box masquerade as another type of computer.
If a policy says, thou shalt not run P2P - then the P2P will be reached through proxy. If you use snort regular expression detection (one of the coolest features) then new protocols will be written to look like an innocuous service (P2P though ICMP/Ping).
The worst part, and my buddy Zero Hex could talk about this forever, is when ISPs start using this to enforce their will on users. Thou shalt not connect without Windows.
Basically, it's not likely to enforce policies among those who actively want to get around them. Instead, it will enforce policies that push an agenda.
Kinetic stupidity has a new brand leader: Allen Zadr.
the problem with IDS systems is encrypted traffic
if someone wants to attack your network, they can easily implement proxy which will encrypt all the traffic they transfer and thus disabling the IDS's ability to analyze the traffic
There are no atheists when recovering from tape backup.