Re: Distributed IDS

From: Yoann Vandoorselaere (
Date: 10/09/03

  • Next message: Kohlenberg, Toby: "RE: Network hardware IPS"
    To: Gaurav <>
    Date: Thu, 09 Oct 2003 13:34:20 +0200

    On Sun, 2003-10-05 at 16:12, Gaurav wrote:
    > Hi ,
    > I would like to have suggestions about the Implementations of an
    > Distributed Intrusion Detection System:
    > 1. What Architectures can be deployed for distributed architecture?

    Prelude is a distributed Hybrid IDS. It's available under the GPL
    license and currently has a lot of sensors like Prelude NIDS, Prelude
    LML (Host based IDS) & external program that were modified to make them
    able to report to the Prelude system like Honeyd, Systrace, Snort,
    Nessus, Hogwash, and more.

    You can check it out on

    > 2. From Research Point of view what limitations does current IDS have
    > and what new could be done.

    Pattern matching make it hard for NIDS to catch up with very high
    networking speed. Algorithm improvement and hardware support might help.
    Also NIDS won't help in analyzing cyphered protocols. An host based IDS
    might help here.

    > 3. How to write scalable Module driven projects?

    Having a modular architecture sound very important so that you can
    dynamically plug in or out part of the system. Prelude implement that.

    > 4. Any source code available to develop mobile agents in c/c++?

    The Prelude library provide you with the necessary API to make your
    agent communicate with the whole Prelude system. The whole Prelude suite
    is written in C. Moreover, in future Prelude version, Perl API binding
    will be available, allowing you to create Perl agents.

    Yoann Vandoorselaere <>
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to: 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo

  • Next message: Kohlenberg, Toby: "RE: Network hardware IPS"