From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valdis.Kletnieks@vt.edu Subject: Re: [RFC] programmatic IDS routing Date: Wed, 19 Mar 2008 14:05:42 -0400 Message-ID: <28772.1205949942@turing-police.cc.vt.edu> References: <200803191302.48434.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1190388742==" Return-path: In-Reply-To: Your message of "Wed, 19 Mar 2008 13:02:48 EDT." <200803191302.48434.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: Linux Audit List-Id: linux-audit@redhat.com --===============1190388742== Content-Type: multipart/signed; boundary="==_Exmh_1205949942_2991P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit --==_Exmh_1205949942_2991P Content-Type: text/plain; charset=us-ascii On Wed, 19 Mar 2008 13:02:48 EDT, Steve Grubb said: > files. In order for the IDS system to be able to distinguish an open of a > watched file from an open of a *special* watched file that an alert should be > sent for, I'd like to propose a standard way of alerting the IDS that this > record needs additional scrutiny. Why do we need special handling for something the IDS should be able to do for itself? If your IDS system doesn't already have a copy of the list of "special" watched files, you have *bigger* problems. --==_Exmh_1205949942_2991P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001 iD8DBQFH4VX2cC3lWbTT17ARAoDdAJ0TfXRcrQlOcEDEGJQ3JZNRQc6cEgCaAkuN /lukeOL6GSWJoZi5jb0UCB4= =Ldfm -----END PGP SIGNATURE----- --==_Exmh_1205949942_2991P-- --===============1190388742== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1190388742==--