Re: [RFC] programmatic IDS routing
On Wednesday 19 March 2008 13:40:21 Steve Grubb wrote:
On Wednesday 19 March 2008 13:12:22 Linda Knippers wrote:
> Rather than using the key for two purposes and introducing special key
> words, couldn't an admin just tell the IDS which he's are of interest?
> And what the priority of each one is?
The problem is that you can tell the IDS that you want any reads
of /opt/my-secrets, but unless you have a matching audit rule you will not
get any records. This allows you to make sure you have a watch paired with
its meaning.
And I should add, the IDS could run on each remote system, or off an
aggregator. This means expressing rules gets more complicated when you have
to express rules as on this particular host, I am looking for files in this
location. To me, its just simpler and hopefully less error prone to use the
key field like this.
-Steve