RE: need your help about IPS and IDS,thanks

• Previous message: Eric McCarty: "RE: need your help about IPS and IDS,thanks"
• Maybe in reply to: Lily: "need your help about IPS and IDS,thanks"
• Next in thread: Lily: "Re: need your help about IPS and IDS,thanks"
• Reply: Lily: "Re: need your help about IPS and IDS,thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ids@securityfocus.com>
Date: Tue, 16 Nov 2004 12:45:43 -0800

Lily,
I am not sure what is you thesis focus and what exactly is the project about
but I happen to work in a company called Securimine which is distributing
SFS - a data mining analysis tool for snort (you may have a look - I will
love your feedback). I have some thoughts for you that might be helpful:
- IPS and IDS are not really different. They both monitor the systems, make
some decisions based on rules (these can be behavioral rules or specific
attacks signatures), and then decide on action.
- The one difference is that IDS do not support 'block' as an action while
IPS do. This difference implies that IPS must be positioned inline while IDS
can be passive.
- The dream of IPS is that the security system will do everything for you
and will make sure that everything that needs to be prevented is prevented
and the rest is just logged. This dream is NOT true and if I may say so,
will never come true (perhaps only for DDos and 'quantity oriented' attacks
like worms). The reality is that the best IPS systems today have 10% of
their ruleset marked as 'blocking' since 90% of the rules create too much
noise. Eliminating the noisy rules diminishes the value of the detection
engine and is not realistic.
- Without doing too much marketing, this is why we started Securimine. We
believe that even if you block what you can, there is still going to be tons
of data generated by the other rules which is important and need to be
analyzed. This is the true value of data mining - the ability to identify
the normal behavior from the data itself and alert when things out of the
ordinary happen.

Hope that helps,
Ophir Rachman, Ph.D.
Securimine Software Inc.
ophir@securimine.com

-----Original Message-----
From: Lily [mailto:xiaoche111@hotmail.com]
Sent: Saturday, November 13, 2004 6:53 AM
To: focus-ids@securityfocus.com
Subject: need your help about IPS and IDS,thanks

hi,all
I have some questions to ask which must be simple to you I think.
1.IPS must build normal model while IDS can use the abnormal
model(misuse detection)?If it is what's the difference between the IDS's
anomaly detection and IPS?
2.Has someone formally use the data mining technology in the IPS?
3.Besides the DoS and buffer overflow etc,has any other way be used in
IPS just like the users behaviour analysis?
4.Why someone said IPS can not log the trace of the attacks while IDS
can do?I think IPS can do it easily.Maybe because IPS is in-line and log
the trace needing many time?
So depressed with the IDS/IPS and my thesis is flying in the sky:(
Thank you in advance.

Lily

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
 
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
 
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

• Previous message: Eric McCarty: "RE: need your help about IPS and IDS,thanks"
• Maybe in reply to: Lily: "need your help about IPS and IDS,thanks"
• Next in thread: Lily: "Re: need your help about IPS and IDS,thanks"
• Reply: Lily: "Re: need your help about IPS and IDS,thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Recent Gartner IDS/IPS report ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ... (Focus-IDS) RE: IDS alerts / second - Correlation - Virtualization ... combinations that operating systems and applications respond improperly ... IDS alerts / second - Correlation - Virtualization ... any IPS has to do IDS first. ... (Focus-IDS) RE: IDS alerts / second - Correlation - Virtualization ... If you take a proper IPS, and by that I don't mean an IDS that has been ... followed by rate limiting and Layer 4 checks before it ... (Focus-IDS) RE: Intrusion Prevention Systems ... It seems were calling an reactive IDS and IPS. ... In reality, BlackICE Guard ... IPS is hardly a "test lab device" or unproven technology. ... (Focus-IDS) RE: IDS evaluations procedures ... An example would be to use an IPS to force all HTTP requests to have the host header www.xyz.com this will stop a significant proportion of HTTP noise before signature matching. ... Conversely with IDS you just don’t have the ability to white list traffic in this way, I guess you could RST any request that didn’t match the URL but I think fragmented buffer overflows and the like could sneak through - so it’s risky. ... Traffic-based anomalies? ... Are you only interested in classic "attacks" (fire up Nessus, ... (Focus-IDS)