Re: Comparing the performance of two IDS products with different architectures

From: Bennett Todd (bet@rahul.net)
Date: 10/16/01

Previous message: Internet Pornographer: "SAN and NAS connection monitoring"
In reply to: Veselin Mijuskovic: "Re: Comparing the performance of two IDS products with different architectures"
Next in thread: robert_david_graham: "RE: Comparing the performance of two IDS products with different architectures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 15 Oct 2001 21:04:56 -0400
From: Bennett Todd <bet@rahul.net>
To: Veselin Mijuskovic <panzer@etf.bg.ac.yu>
Subject: Re: Comparing the performance of two IDS products with different architectures
Message-ID: <20011015210456.K16471@rahul.net>

2001-10-15-08:24:04 Veselin Mijuskovic:
> The sole purpose of an Intrusion Detection System is to
> detects intrusions to the system it is protecting.

There's another purpose, so very closely related that it seems to
have gotten inescapably tied to the acronym "IDS": to detect (and
report, and archive for subsequent forensic analysis) _attempted_
intrusions.

I'm finding it valuable to distinguish that forensic role from the
front-line task of detecting actual, "interesting" (i.e. possibly
successful) attacks; designs can do a better job if they optimize
for one or the other rather than trying to do both.

An Intrusion Detection System, for setting off alarms when someone
is breaking in, works best with a very actively tuned signature
list, so that it's only looking for packets for which it will really
want to generate alarms --- that's a strategy that can work for
wire-speed IDS at modern fast network speeds without Ludicrous Speed
hardware.

An IDS for gathering and reporting trend data, and providing
forensic logs for help reconstructing attack patterns, can do its
job very usefully even if it fails to keep up with traffic bursts,
even if it can be overwhelmed. And it can do this without a lot of
brilliance and aggressive maintenance invested in tuning the
signature database down fine.

-Bennett

application/pgp-signature attachment: stored

Previous message: Internet Pornographer: "SAN and NAS connection monitoring"
In reply to: Veselin Mijuskovic: "Re: Comparing the performance of two IDS products with different architectures"
Next in thread: robert_david_graham: "RE: Comparing the performance of two IDS products with different architectures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: URL To ConnPROBE Intrusion Detection System
... URL To ConnPROBE Intrusion Detection System ... "ConnProbe IDS aims to be a unique Intrusion Detection Systemic ... There is no particular time-frame set for development and developers are ...
(Focus-IDS)
RE: NIDS
... The following link is a gold mine on all things IDS (at least in my ... Hands down snort is probably the most famous intrusion detection system. ... I think it is a good idea to place a sensor ... I am looking for information on deployment scenarios. ...
(Security-Basics)
RE: new intrusion detection system
... Common Intrusion Detection Framework (CIDF). ... and reporting was one such goal. ... The IDS on process monitoring seems interesting. ... > I have implemented a new type of intrusion detection system for my Master ...
(Focus-IDS)
Re: definition for Inline IDS/IPS
... IDS are of two types- HIDS(Host Intrusion detection system) and NIDS( ... IDS combined with firewall is IPS(Intrusion prevention system). ...
(Focus-IDS)