The time, in which we are living and where detection comes next to intrusion, is breeding the triangle of processing power, intelligent software and human genome to try not only to find a niche between the two as depicted and elaborated by the moors law or logrithmic evolution but also to exploit this small window of opportunity to the full of its potential.
Its rather interesting to work in a domain or a system while knowing all of its constraints, its logical and factual limitations and the projections of its demise, and so had been my experiance with SNORT – an intrusion detection system (IDS).
A friend of mine, Jérôme Tête, and I worked on the project of deploying SNORT as IDS on both sides of De-Militerized Zone (DMZ), which is a place to home the servers supposed to serve the services to not only to the enterprise but to the rest of the world as well. Both “BASE” and “Prewikka” were used as interface to this IDS, though the formar can be deployed with a stand alone IDS and the later is rather an IDS manager integrating the database of intrusion logs, signatures or anamolies and the policies of different IDSs in the network.
Prewikka was found to be better than BASE even in a single IDS environment, because of its capability to integrate the logs of same type and/or suspected packets from the same IP and thus rendering the reports and information prone to action.
The IDS was not installed for a passive report generation and to please us by giving the so to speak sense of security, not because there are Intrusion Prevension Systems (IPS) more inclined towards giving that false sense but because the real objective was to exploit and to intrude in to the servers by by-passing the detection.
While trying to simulate different attacks we found it out to be quite responsive, against the known type of attacks but on the other hand against the innovations and the wild imagination it proved it self to be dumb enough. Though this implies not that it should not be deployed, rather on the contrary, it proved to be a good candidate for its deployment as the security in its true essense is not securing against all odds but is rather about creating a barrier of the time.
PS : the report “Système de détection de l’intrusion et sécurité” is currently in french language, and is available for educational institutes only, upon special request.