need your help about IPS and IDS,thanks

From: Lily (xiaoche111_at_hotmail.com)
Date: 11/13/04

  • Next message: Andy Cuff: "RE: DDOS Bot Blacklist"
    To: <focus-ids@securityfocus.com>
    Date: Sat, 13 Nov 2004 22:52:31 +0800
    
    

    hi,all
    I have some questions to ask which must be simple to you I think.
    1.IPS must build normal model while IDS can use the abnormal model(misuse detection)?If it is what's the difference between the IDS's anomaly detection and IPS?
    2.Has someone formally use the data mining technology in the IPS?
    3.Besides the DoS and buffer overflow etc,has any other way be used in IPS just like the users behaviour analysis?
    4.Why someone said IPS can not log the trace of the attacks while IDS can do?I think IPS can do it easily.Maybe because IPS is in-line and log the trace needing many time?
    So depressed with the IDS/IPS and my thesis is flying in the sky:(
    Thank you in advance.

    Lily


  • Next message: Andy Cuff: "RE: DDOS Bot Blacklist"

    Relevant Pages

    • RE: Recent Gartner IDS/IPS report
      ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
      (Focus-IDS)
    • RE: IDS alerts / second - Correlation - Virtualization
      ... combinations that operating systems and applications respond improperly ... IDS alerts / second - Correlation - Virtualization ... any IPS has to do IDS first. ...
      (Focus-IDS)
    • RE: IDS alerts / second - Correlation - Virtualization
      ... If you take a proper IPS, and by that I don't mean an IDS that has been ... followed by rate limiting and Layer 4 checks before it ...
      (Focus-IDS)
    • RE: Intrusion Prevention Systems
      ... It seems were calling an reactive IDS and IPS. ... In reality, BlackICE Guard ... IPS is hardly a "test lab device" or unproven technology. ...
      (Focus-IDS)
    • RE: IDS evaluations procedures
      ... An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com this will stop a significant proportion of HTTP noise before signature matching. ... Conversely with IDS you just don’t have the ability to white list traffic in this way, I guess you could RST any request that didn’t match the URL but I think fragmented buffer overflows and the like could sneak through - so it’s risky. ... Traffic-based anomalies? ... Are you only interested in classic "attacks" (fire up Nessus, ...
      (Focus-IDS)