Re: need your help about IPS and IDS,thanks

• Previous message: Ophir Rachman: "RE: need your help about IPS and IDS,thanks"
• In reply to: Eric McCarty: "RE: need your help about IPS and IDS,thanks"
• Next in thread: Andy Cuff: "RE: need your help about IPS and IDS,thanks"
• Reply: Andy Cuff: "RE: need your help about IPS and IDS,thanks"
• Reply: Chris Petersen: "RE: need your help about IPS and IDS,thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Eric McCarty" <eric@piteduncan.com>
Date: Wed, 17 Nov 2004 17:39:13 +0800

Thanks for your reply.But I still some question about it:
1.I see 'HIPS creates a baseline of normal activity' and 'NIPS to perform pattern-matching between what is known as an attack and the traffic that is traversing the network' in the Web of Vigilar.
If the meaning of these two sentences is HIPS can only build the normal model to detect while NIPS can use the pattern matching as the IDS?
2. If the 'IPS just knows its an attack which needs to be blocked/dropped/reset',what's the meaning of log the traffic?I think the logs is no meaning because of the integrity.These type logs can not distinguish any known attack.
3.I am puzzling what technology is used of IDS by IPS?
----- Original Message -----
From: "Eric McCarty" <eric@piteduncan.com>
To: "Lily" <xiaoche111@hotmail.com>; <focus-ids@securityfocus.com>
Sent: Wednesday, November 17, 2004 1:00 AM
Subject: RE: need your help about IPS and IDS,thanks


Responses Inline :

1.IPS must build normal model while IDS can use the abnormal
model(misuse detection)?If it is what's the difference between the IDS's
anomaly detection and IPS?

IDS can watch the whole session and figure out whats just happened. IPS
must know long before the session is finished in order to Prevent
anything from happening.

4.Why someone said IPS can not log the trace of the attacks while IDS
can do?I think IPS can do it easily.Maybe because IPS is in-line and log
the trace needing many time?

The IPS would see the same packets any IDS would, the difference is that
once the IPS figured out the traffic is malicious it takes action. Thus
the IPS log would be up to the point of action being taken, so an IDS
may see the entire flow of traffic and more acurately match the traffic
to a signature of a known attack while the IPS just knows its an attack
which needs to be blocked/dropped/rset.

So depressed with the IDS/IPS and my thesis is flying in the sky:( Thank
you in advance.

I had this great apricot beer the other day, I highly recommend it.



Lily

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Ophir Rachman: "RE: need your help about IPS and IDS,thanks"
• In reply to: Eric McCarty: "RE: need your help about IPS and IDS,thanks"
• Next in thread: Andy Cuff: "RE: need your help about IPS and IDS,thanks"
• Reply: Andy Cuff: "RE: need your help about IPS and IDS,thanks"
• Reply: Chris Petersen: "RE: need your help about IPS and IDS,thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]