Re: need your help about IPS and IDS,thanks

• Previous message: Lily: "Re: need your help about IPS and IDS,thanks"
• In reply to: Ophir Rachman: "RE: need your help about IPS and IDS,thanks"
• Next in thread: Andy Cuff: "RE: need your help about IPS and IDS,thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <ophir@securimine.com>
Date: Wed, 17 Nov 2004 16:25:02 +0800

My thesis focus on the several level protection and the IPS is the important part.But I know little on IPS and I can not distinguish the IPS and 'anomaly' detection IDS besides the inline and passive,I think the detailed technology about the two is same.Because there all bulid normal model.
I thought to do a data mining analysis tool several days ago,but I think it is difficult to me.I am expecting the SFS,but I think maybe I can not understand how to work because I still not use the snort.I am a green hand in the IDS/IPS and I only know little:(
----- Original Message -----
From: "Ophir Rachman" <ophir@securimine.com>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, November 17, 2004 4:45 AM
Subject: RE: need your help about IPS and IDS,thanks


> Lily,
> I am not sure what is you thesis focus and what exactly is the project about
> but I happen to work in a company called Securimine which is distributing
> SFS - a data mining analysis tool for snort (you may have a look - I will
> love your feedback). I have some thoughts for you that might be helpful:
> - IPS and IDS are not really different. They both monitor the systems, make
> some decisions based on rules (these can be behavioral rules or specific
> attacks signatures), and then decide on action.
> - The one difference is that IDS do not support 'block' as an action while
> IPS do. This difference implies that IPS must be positioned inline while IDS
> can be passive.
> - The dream of IPS is that the security system will do everything for you
> and will make sure that everything that needs to be prevented is prevented
> and the rest is just logged. This dream is NOT true and if I may say so,
> will never come true (perhaps only for DDos and 'quantity oriented' attacks
> like worms). The reality is that the best IPS systems today have 10% of
> their ruleset marked as 'blocking' since 90% of the rules create too much
> noise. Eliminating the noisy rules diminishes the value of the detection
> engine and is not realistic.
> - Without doing too much marketing, this is why we started Securimine. We
> believe that even if you block what you can, there is still going to be tons
> of data generated by the other rules which is important and need to be
> analyzed. This is the true value of data mining - the ability to identify
> the normal behavior from the data itself and alert when things out of the
> ordinary happen.
>
> Hope that helps,
> Ophir Rachman, Ph.D.
> Securimine Software Inc.
> ophir@securimine.com
>
> -----Original Message-----
> From: Lily [mailto:xiaoche111@hotmail.com]
> Sent: Saturday, November 13, 2004 6:53 AM
> To: focus-ids@securityfocus.com
> Subject: need your help about IPS and IDS,thanks
>
> hi,all
> I have some questions to ask which must be simple to you I think.
> 1.IPS must build normal model while IDS can use the abnormal
> model(misuse detection)?If it is what's the difference between the IDS's
> anomaly detection and IPS?
> 2.Has someone formally use the data mining technology in the IPS?
> 3.Besides the DoS and buffer overflow etc,has any other way be used in
> IPS just like the users behaviour analysis?
> 4.Why someone said IPS can not log the trace of the attacks while IDS
> can do?I think IPS can do it easily.Maybe because IPS is in-line and log
> the trace needing many time?
> So depressed with the IDS/IPS and my thesis is flying in the sky:(
> Thank you in advance.
>
> Lily
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
>
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>
>

• Previous message: Lily: "Re: need your help about IPS and IDS,thanks"
• In reply to: Ophir Rachman: "RE: need your help about IPS and IDS,thanks"
• Next in thread: Andy Cuff: "RE: need your help about IPS and IDS,thanks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]