RE: Newbie IDS questions
From: robert_david_graham (robert_david_graham@yahoo.com)Date: 01/10/02
- Previous message: n3m3s1s@hushmail.com: "Re: RE: IDS bakeoff - help!"
- Maybe in reply to: Mike Hrubes: "Newbie IDS questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: robert_david_graham <robert_david_graham@yahoo.com> To: "'Mike Hrubes'" <MHrubes@wizmo.com>, FOCUS-IDS@SECURITYFOCUS.COM Date: Wed, 9 Jan 2002 19:34:13 -0500
BlackICE Guard does this.
Hogwash does it for Snort.
You have to consider the possibility of false-positives introducing problems
on the connection. The "Guard" product (from my company) contains a tuned
policy for this. There are tuned signatures sets by people who use Hogwash.
> -----Original Message-----
> From: Mike Hrubes [mailto:MHrubes@wizmo.com]
> Sent: Wednesday, January 09, 2002 12:30 PM
> To: FOCUS-IDS@SECURITYFOCUS.COM
> Subject: Newbie IDS questions
>
>
> Hi all,
>
> I'm new to the IDS world. I understand what an IDS does, and why you
> need it, but I have some questions on the technical aspect of IDS. We
> are planning on implementing an IDS in the near future. The idea that
> has been proposed is to put the IDS in the path between connections,
> rather than connected in promiscuous mode. The reason they want to do
> this is so they can also run a blocking software, like portsentry, to
> block unwanted scans, etc.
>
> Is this even possible to do? The idea is to use a linux
> server running
> snort. This box would have two interfaces to route the
> traffic through
> it, scanning the signatures at the same time.
>
> Possible/not possible? If possible, good idea/bad idea? Opinions in
> general?
>
> Thanks in advance,
>
> Mike Hrubes
- Previous message: n3m3s1s@hushmail.com: "Re: RE: IDS bakeoff - help!"
- Maybe in reply to: Mike Hrubes: "Newbie IDS questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
