[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: IDS bells ringing

To: or-talk@xxxxxxxxxxxxx
Subject: Re: IDS bells ringing
From: Roger Dingledine <arma@xxxxxxx>
Date: Tue, 31 Jan 2006 20:28:01 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Tue, 31 Jan 2006 20:28:04 -0500
In-reply-to: <20060131190207.409a39a3.patgus@stonewwwall.org>
References: <20060131190207.409a39a3.patgus@stonewwwall.org>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.9i

On Tue, Jan 31, 2006 at 07:02:07PM -0600, patgus wrote:
>  Ok, not suprisingly I suppose my IDS is going nutso. As I have set
>myself up as an exit node this probably means people are hacking through
>tor. Guess that is to be expected.

I am not surprised by this, but not for the reason you indicate.

Intrusion detection systems suck. All the ones that I know about produce a
huge pile of false positives. Basically, once you start sending packets
around on a variety of protocols, your IDS is going to nutso. This
doesn't mean people are hacking through Tor. (However, with several
hundred thousand active Tor users, I'm sure a bit of bad stuff *is*
happening -- just like elsewhere on the Internet.)

See
http://www.sans.org/resources/idfaq/false_alarms.php
for another way of phrasing this.

Hope that helps,
--Roger

References:
- IDS bells ringing
  - From: patgus

Prev by Author: Re: facility for specifying that a Tor node should not be preferred?
Next by Author: Warning message in v0.1.1.10-alpha
Previous by thread: Re: IDS bells ringing
Next by thread: Re: IDS bells ringing
Index(es):
- Author
- Thread