IDS bells ringing
Roger Dingledine
arma at mit.edu
Wed Feb 1 01:28:01 UTC 2006
On Tue, Jan 31, 2006 at 07:02:07PM -0600, patgus wrote:
> Ok, not suprisingly I suppose my IDS is going nutso. As I have set
>myself up as an exit node this probably means people are hacking through
>tor. Guess that is to be expected.
I am not surprised by this, but not for the reason you indicate.
Intrusion detection systems suck. All the ones that I know about produce a
huge pile of false positives. Basically, once you start sending packets
around on a variety of protocols, your IDS is going to nutso. This
doesn't mean people are hacking through Tor. (However, with several
hundred thousand active Tor users, I'm sure a bit of bad stuff *is*
happening -- just like elsewhere on the Internet.)
See
http://www.sans.org/resources/idfaq/false_alarms.php
for another way of phrasing this.
Hope that helps,
--Roger
More information about the tor-talk
mailing list