Guy
"Kopf , Patrick E." wrote:
Actually,
I believe that Cisco's NetRanger product does implement a heartbeat function. If the sensor is unable to communicate with the director for longer than 1 minute, the director creates an alarm indicating that there is a communications problem between it and the sensor.Pat Kopf
----------
From: Technical Incursion Countermeasures[SMTP:lists@ticm.com]
Sent: Friday, May 28, 1999 9:19 AM
To: Brian Holman
Cc: ids@uow.edu.au
Subject: Re: IDS: IDS Self-TestFAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
--------------------------------------------------------------------------->All,
>
> Does anyone know of an IDS which periodically self-tests? One criticism
I have heard is that an IDS can be 'knocked out' and nobody would notice
for quite a while. If the IDS injected a known 'intrusion' every so often,
and then ignored the resulting alarm as it would know it was only a test,
then this criticism would fall flat.
>
>
>BrianBrian,
at present no IDS does this. I know where you are coming from though.. most
physical systems of anyworth have line monitoring to detect when the sensor
has been removed from the system or has failed.I think the best thing to do is to hassle the IDS companies for a paradigm
change. Currently they all base themselves on the virus scanning paradigm -
they really should go off an learn how to build a physical alarm system :}Cheers,
Bret
Technical Incursion Countermeasures
consulting@TICM.COM http://www.ticm.com/
ph: (+61)(041) 4411 149(UTC+8 hrs) fax: (+61)(08) 9454 6042The Insider - a e'zine on Computer security Vol 3 Issue 1 out now
http://www.ticm.com/info/insider/index.html