Posted by: Anonymous Coward
on August 08, 2006 05:40 AM
Perhaps it's just the nature of intrusion detection that administering it will always be complex, but that very complexity makes it useless for a lot of admins. Too much work to tweak and tune, too many false positives, and you're never really sure if it's going to catch the bad stuff.
I do what I can by putting system files non-writeable media, like bootable live CD-ROMS. I know those binaries are good.<nobr> <wbr></nobr>:) This isn't very practical for busy servers, but for firewalls and low-volume servers it works great. Maybe someday we'll have hard drives that include a physical write-protect key.