RE: amount of alarms generated by IDS

From: Rob Shein (shoten_at_starpower.net)
Date: 05/11/04

  • Next message: Ravishankar Ithal: "RE: amount of alarms generated by IDS"
    To: "'Ravishankar Ithal'" <ravi_ithal@yahoo.com>, "'Bhargav Bhikkaji'" <bbhikkaji@yahoo.co.in>, <focus-ids@securityfocus.com>
    Date: Tue, 11 May 2004 12:03:24 -0400
    
    

    I'm a bit confused here. You're talking about inline IDS and IPS. Are you
    using the terms interchangably? If so, you're mistaken; putting an IDS
    inline does not make it an IPS. And an IDS inline shouldn't be dropping
    packets. I could see how the signatures could be tuned differently due to
    the fact that it is able to ensure that it sees everything, and that could
    generate fewer FPs, but aside from that I doubt there would be any
    difference. Keep in mind that an inline IDS does not (normally) do anything
    to bad traffic, while an IPS takes an active role in
    munging/blocking/denying such.

    > -----Original Message-----
    > From: Ravishankar Ithal [mailto:ravi_ithal@yahoo.com]
    > Sent: Tuesday, May 11, 2004 12:46 AM
    > To: Bhargav Bhikkaji; focus-ids@securityfocus.com
    > Subject: Re: amount of alarms generated by IDS
    >
    >
    > "expected" is the keyword here. While promiscuous mode IDS
    > got away with logging alarms because of FPs, inline IDS(or
    > IPS) has more to lose. If it generates a lot of FPs and drops
    > good packets, network usability is at stake. Third party
    > correlation tools can't help inline IDS at all. For these
    > reasons, the initial configs for inline IDS devices should be
    > much more stringent and should contain high confidence
    > signatures only.
    >
    > -Ravishankar Ithal

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Ravishankar Ithal: "RE: amount of alarms generated by IDS"

    Relevant Pages

    • Re: amount of alarms generated by IDS
      ... Inline IDS exists, it's just what you call your IPS ... > network managers that would be willing to start dropping packets just ... these is but one factor in the total decision to filter. ...
      (Focus-IDS)
    • Re: definition for Inline IDS/IPS
      ... an inline IDS or IPS actually has packets pass ... not only can attacks be detected; ...
      (Focus-IDS)