On Mon, Dec 13, 2021 at 03:50:11PM +0100, J??rg Kost wrote:
But in a world where the attacker can leak out a whole 16-bit integer, monitoring that 0.003% for two-port states may be irrelevant. Not saying you shall not, but you will miss 99.997%. Agree?
There's all sorts of statements I might agree with. However, if I have an easy indicator of a known problem, such as "LDAP traffic to an unknown server", I might be very tempted to set the IDS to notify me if it sees the weird thing, and then let the very fast moron just do its job. That's what it's there for, after all. Right? I don't care if it misses 9% or 99% or 99.997%. If I can generate some cheap and easy hits, without finding out about problems the Equifax way, I don't see the harm in that. Sometimes we do things "just in case." ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "The strain of anti-intellectualism has been a constant thread winding its way through our political and cultural life, nurtured by the false notion that democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov