Re: Network IDS

From: Mark Teicher (mht3_at_earthlink.net)
Date: 08/28/03

Next message: Andrew Plato: "Re: Network IDS"

Previous message: Frank Knobbe: "Re: Network IDS"
In reply to: Frank Knobbe: "Re: Network IDS"
Next in thread: Frank Knobbe: "Re: Network IDS"
Reply: Frank Knobbe: "Re: Network IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Aug 2003 05:15:17 -0600
To: Frank Knobbe <frank@knobbe.us>, Andreas Krennmair <netnews@synflood.at>

Again off the beaten path, your description below is a HoneyPot, not an IPS

At 01:15 PM 8/27/2003, Frank Knobbe wrote:

>On Tue, 2003-08-26 at 13:53, Andreas Krennmair wrote:
> > How is your system protected when the exploit succeeds and is detected
> > by the NIDS? Your system is compromised. The only thing where NIDS could
> > be interesting is to record all attacks and to separate the known
> > exploits from the unknown ones. That is, IMHO, the only really useful
> > way NIDS could be used.
>
>
>Another idea you could use this for is automated containment of
>intrusions. Yeah, your box may be hacked by the time the IDS analyzes
>the packet, but the reaction (i.e. firewall config) can be done to
>automatically isolate that box so that the hacker can't get in or worms
>break out. Same thing you would do by hand, except the IDS does it for
>you much faster and at 4am when you're not there.
>
>Cheers,
>Frank
>

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worlds premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------

Next message: Andrew Plato: "Re: Network IDS"

Previous message: Frank Knobbe: "Re: Network IDS"
In reply to: Frank Knobbe: "Re: Network IDS"
Next in thread: Frank Knobbe: "Re: Network IDS"
Reply: Frank Knobbe: "Re: Network IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Network IDS
... spawn TCP resets that can kill an attack. ... >> NIDS is about detecting intrusions over the network. ... Modeled after the famous Black Hat event in ... >Symanetc is the Diamond sponsor. ...
(Focus-IDS)
Re: Network IDS
... > How do we classify a NID that can automatically adjust firewall rules to ... There is a fundamental difference between NIDS and NIPS. ... >>NIDS is about detecting intrusions over the network. ... Modeled after the famous Black Hat event in Las Vegas! ...
(Focus-IDS)
Re: Network IDS
... > How is your system protected when the exploit succeeds and is detected ... The only thing where NIDS could ... Another idea you could use this for is automated containment of ... your box may be hacked by the time the IDS analyzes ...
(Focus-IDS)