Re: host-based ids evaluation

From: Talisker (talisker@networkintrusion.co.uk)
Date: 08/15/02


From: "Talisker" <talisker@networkintrusion.co.uk>
To: "Kurt Seifried" <bugtraq@seifried.org>, "roy lo" <roylo@sr2c.com>
Date: Thu, 15 Aug 2002 22:36:32 +0100

Kurt

There will rarely be a perfect analogy or definition. But by categorising
products it helps to avoid ambiguities when selecting products. I feel
SecureEXE falls into the category of File Integrity Checker. I'm biased I
try to maintain a website listing all IDS of every persuasion, if I didn't
categorise them the "one" page would be huge (just kidding) As discussed
earlier they are different beasts and should be separated as such.

I personally don't see the discussion as silly, if it helps people realise
there are succinct differences in the products they are looking to purchase.

I agree that some of the approaches taken on these days are indeed
innovative, the vendors (some) should be commended on their forward
thinking. (did I just say that ?)

thoughts?
andy
http://www.networkintrusion.co.uk

> Ok... So solutions such as SecureWave SecureEXE which are host based, and
> block execution of non approved code in real time (generate a database of
> md5/sha1 sigs for known good apps, install client, done) is reactive?
>
> People, definitions like this pro/reactive are SILLY. Really really silly.
> There are so many products out now taking all sorts of interesting
> approaches and implementaitons it's really stupid to be making such broad
> overgeneralizations.
>
> Let the argument and bad analogies begin!

>
> Kurt Seifried, kurt@seifried.org
> A15B BEE5 B391 B9AD B0EF
> AEB0 AD63 0B4E AD56 E574
> http://seifried.org/security/
>
>
>
>