Interview with Judy Novak, co-author of "Network Intrusion Detection 3/e"
by Mirko Zorz - Friday, 20 February 2003.
My closest reference to the controversy is Snort, the open source IDS. Snort is in a unique position because it is a collective open source effort that has probably literally hundreds, if not thousands of eyes scrutinizing the code and improving it. I realize that not all open source garners as much attention or interest as Snort, but because of the group development model and intelligent direction provided by Marty Roesch, you have an excellent source code offering. This makes it hard for the proprietary offerings to compete with Snort because of the ready pool of free talent and resources available.

What advice would you give to people starting to learn about intrusion detection?

First learn TCP/IP well since you'll need it to understand traffic analysis, the foundation of intrusion detection. Learning theory is great, but then you have to put the theory to practice by analyzing traffic. Assuming you have no existing IDS, I would download and install Snort and take a look at the output. There is plenty of documentation available on the Internet that gives you pointers and tips on installing and configuring Snort.

I think you also have to realize that although IDS' have come a long way, they are still in their infancy of evolution. That said; don't expect the best IDS to be even close to perfect. And even if you have the most capable IDS, as far as I'm concerned, it is next to worthless unless you have a savvy analyst. The analyst has to understand the traffic on the network before installing and customizing the IDS so that it will give you pertinent alerts and not just spew overwhelming volumes of garbage your way. I think this is one of the areas where management can be quite naive because they believe that running an IDS provides a totally automated solution. In reality, it is only the trained savvy analyst who knows how to customize the IDS, maintain it, and comprehend the output.

I also think that doing intrusion detection can at once be both exciting and very mundane. At first, everything is new and having insight about network traffic can be an eye-opening experience. But, it can soon become very routine just examining the output from the IDS. And, this is where you have to challenge yourself to be curious and explore or become a screen watcher. Some IDS' have advanced features, rules languages, and optional configurations that will allow you to finely tune the rules, correlate events, and more accurately analyze traffic. So, study the IDS and learn to get the most out of it.

Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //