Re: need your help about IPS and IDS,thanks

From: Lily (
Date: 11/17/04

  • Next message: Lily: "Re: need your help about IPS and IDS,thanks"
    To: "Eric McCarty" <>
    Date: Wed, 17 Nov 2004 17:39:13 +0800

    Thanks for your reply.But I still some question about it:
    1.I see 'HIPS creates a baseline of normal activity' and 'NIPS to perform pattern-matching between what is known as an attack and the traffic that is traversing the network' in the Web of Vigilar.
    If the meaning of these two sentences is HIPS can only build the normal model to detect while NIPS can use the pattern matching as the IDS?
    2. If the 'IPS just knows its an attack which needs to be blocked/dropped/reset',what's the meaning of log the traffic?I think the logs is no meaning because of the integrity.These type logs can not distinguish any known attack.
    3.I am puzzling what technology is used of IDS by IPS?
    ----- Original Message -----
    From: "Eric McCarty" <>
    To: "Lily" <>; <>
    Sent: Wednesday, November 17, 2004 1:00 AM
    Subject: RE: need your help about IPS and IDS,thanks

    Responses Inline :

    1.IPS must build normal model while IDS can use the abnormal
    model(misuse detection)?If it is what's the difference between the IDS's
    anomaly detection and IPS?

    IDS can watch the whole session and figure out whats just happened. IPS
    must know long before the session is finished in order to Prevent
    anything from happening.

    4.Why someone said IPS can not log the trace of the attacks while IDS
    can do?I think IPS can do it easily.Maybe because IPS is in-line and log
    the trace needing many time?

    The IPS would see the same packets any IDS would, the difference is that
    once the IPS figured out the traffic is malicious it takes action. Thus
    the IPS log would be up to the point of action being taken, so an IDS
    may see the entire flow of traffic and more acurately match the traffic
    to a signature of a known attack while the IPS just knows its an attack
    which needs to be blocked/dropped/rset.

    So depressed with the IDS/IPS and my thesis is flying in the sky:( Thank
    you in advance.

    I had this great apricot beer the other day, I highly recommend it.


    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to
    to learn more.

  • Next message: Lily: "Re: need your help about IPS and IDS,thanks"

    Relevant Pages

    • RE: need your help about IPS and IDS,thanks
      ... We run a SOC with IPSes. ... cause a DoS at high bandwidth), you can mitigate the attack without taking ... traditional firewall and IDS vendors try to protect their market shares. ... The main difference in my opinion is that IPS are inline and can therefore ...
    • RE: Recent Gartner IDS/IPS report
      ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
    • RE: interesting paper on testing sig-based IDS
      ... Is this tool available to the general public as I do a lot of IPS ... IDS they were before with many signatures disabled with 2 NIC's. ... > You may also be interested in Automatic Generation and Analysis of NIDS ... > A common way to elude a signature-based NIDS is to transform an attack ...
    • RE: IDS alerts / second - Correlation - Virtualization
      ... combinations that operating systems and applications respond improperly ... IDS alerts / second - Correlation - Virtualization ... any IPS has to do IDS first. ...
    • RE: need your help about IPS and IDS,thanks
      ... I think of IPS as IDS with the ability to take action. ... Send TCP Reset (if killing TCP session and not sitting in-line) ... attack you are probably better off. ...