RE: amount of alarms generated by IDS

From: Rob Shein (shoten_at_starpower.net)
Date: 05/11/04

Next message: Ravishankar Ithal: "RE: amount of alarms generated by IDS"

Previous message: Frank Knobbe: "RE: amount of alarms generated by IDS"
In reply to: Ravishankar Ithal: "Re: amount of alarms generated by IDS"
Next in thread: Ravishankar Ithal: "RE: amount of alarms generated by IDS"
Reply: Ravishankar Ithal: "RE: amount of alarms generated by IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Ravishankar Ithal'" <ravi_ithal@yahoo.com>, "'Bhargav Bhikkaji'" <bbhikkaji@yahoo.co.in>, <focus-ids@securityfocus.com>
Date: Tue, 11 May 2004 12:03:24 -0400

I'm a bit confused here. You're talking about inline IDS and IPS. Are you
using the terms interchangably? If so, you're mistaken; putting an IDS
inline does not make it an IPS. And an IDS inline shouldn't be dropping
packets. I could see how the signatures could be tuned differently due to
the fact that it is able to ensure that it sees everything, and that could
generate fewer FPs, but aside from that I doubt there would be any
difference. Keep in mind that an inline IDS does not (normally) do anything
to bad traffic, while an IPS takes an active role in
munging/blocking/denying such.

> -----Original Message-----
> From: Ravishankar Ithal [mailto:ravi_ithal@yahoo.com]
> Sent: Tuesday, May 11, 2004 12:46 AM
> To: Bhargav Bhikkaji; focus-ids@securityfocus.com
> Subject: Re: amount of alarms generated by IDS
>
>
> "expected" is the keyword here. While promiscuous mode IDS
> got away with logging alarms because of FPs, inline IDS(or
> IPS) has more to lose. If it generates a lot of FPs and drops
> good packets, network usability is at stake. Third party
> correlation tools can't help inline IDS at all. For these
> reasons, the initial configs for inline IDS devices should be
> much more stringent and should contain high confidence
> signatures only.
>
> -Ravishankar Ithal

---------------------------------------------------------------------------

Next message: Ravishankar Ithal: "RE: amount of alarms generated by IDS"

Previous message: Frank Knobbe: "RE: amount of alarms generated by IDS"
In reply to: Ravishankar Ithal: "Re: amount of alarms generated by IDS"
Next in thread: Ravishankar Ithal: "RE: amount of alarms generated by IDS"
Reply: Ravishankar Ithal: "RE: amount of alarms generated by IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: amount of alarms generated by IDS
... Inline IDS exists, it's just what you call your IPS ... > network managers that would be willing to start dropping packets just ... these is but one factor in the total decision to filter. ...
(Focus-IDS)
Re: definition for Inline IDS/IPS
... an inline IDS or IPS actually has packets pass ... not only can attacks be detected; ...
(Focus-IDS)