Log4j mitigation

Joe Greco jgreco at ns.sol.net
Mon Dec 13 15:35:45 UTC 2021


On Mon, Dec 13, 2021 at 03:50:11PM +0100, J??rg Kost wrote:
> But in a world where the attacker can leak out a whole 16-bit integer,
> monitoring that 0.003% for two-port states may be irrelevant.
> Not saying you shall not, but you will miss 99.997%. Agree?

There's all sorts of statements I might agree with.

However, if I have an easy indicator of a known problem, such as "LDAP
traffic to an unknown server", I might be very tempted to set the IDS
to notify me if it sees the weird thing, and then let the very fast
moron just do its job.  That's what it's there for, after all.  Right?

I don't care if it misses 9% or 99% or 99.997%.  If I can generate some
cheap and easy hits, without finding out about problems the Equifax
way, I don't see the harm in that.  Sometimes we do things "just in
case."

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your knowledge.'"-Asimov


More information about the NANOG mailing list