Help Net Security: Interview with Judy Novak, Co-author of "Network Intrusion Detection 3/e"
Feb 25, 2003, 05:30 (0 Talkback[s])
(Other stories by Mirko Zorz)
No-Size-Fits-All! An Application-Down Approach for Your Cloud Transformation REGISTER >
[ Thanks to LogError for this link.
Which are your favourite security tools and why?
"We'll I'm going to show my roots by declaring the Naval Surface
Warfare Center (NSWC) Shadow as one of the first and favorite
intrusion detection systems I used. I'd installed this at the
urging of Stephen Northcutt and discovered a great tool in Shadow
and a great friend in Stephen. It is based on tcpdump; and using
tcpdump and Shadow required that I become very familiar with TCP/IP
otherwise I would be totally clueless. To this day, even though
IDS' have made phenomenal advances, I still like using Shadow along
with the more modern IDS' to collect background traffic.
"Snort is another favorite tool since it rivals a lot of
commercial IDS' and is easy to install and configure. It's pretty
easy to write simple or complex rules and I like that you see the
offending packet when it alerts. If you don't have access to the
guts of the rule that triggered the alert and the dump of offending
packet, you don't know if an alert is real or a false positive. Too
many commercial IDS' don't let you see the signatures, rules, etc.
and don't dump the packet. You are at the mercy of the IDS with no
way of validating the accuracy of the alert. You can end up crying
wolf if you believe the IDS all of the time or you end up simply
ignoring it if you don't.
"We just finished up a red team exercise using nothing more than
freeware--nmap, nessus, and the Center for Internet Security (CIS)
benchmark tools. This gave us a combination of tools to map the
network using nmap, expose the vulnerabilities remotely using
nessus, and examine host configurations using the CIS benchmark