This post answers several questions to the intrusion detection system. For example, IDS is a great way to capture forensic evidence for the activity of systems (including intrusion), however, there is inherent problems with using IDS logs as legal evidence because of the possibility for manipulation of the data and therefore credibility of the evidence. Describe the requirements on log data to be admissible as legal evidence.
In 2003, a well-publicized report from IT analyst firm Gartner predicted that the market for stand-alone IDS tools would soon disappear, and urged Gartner clients to cease investing in IDS tools in favor of firewalls. Clearly, the obsolescence of IDS tools by 2005 did not occur as Gartner predicted, due in part to significant increases in the technological capability, processing speed, and accuracy of IDS tools in the nearly 15 years since the erroneous prediction.
Contemporary enterprises have a wide array of network and platform security tools from which to choose, and as we have seen in this course there is substantial overlap in the capabilities of different categories of tools such as firewalls, IDS, anti-malware, vulnerability scanners, and so forth. What factors would exert the most influence on an organization and lead it to choose to implement IDS? In your response please identify potential benefits of IDS, potential drawbacks, and any considerations about an organization’s operating environment that might drive its decision.
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:”Attack Detected”; flow:to_server,established; content:”|02|”;depth:1;content:”sa”;depth:2;offset:39; nocase; detection_filter:track_by_src,count 5,seconds 2;)
content:”GET”; offset:5; depth:10; content:”downloads”; distance:10; within:9;