Re: need your help about IPS and IDS,thanks

From: Lily (xiaoche111_at_hotmail.com)
Date: 11/17/04

  • Next message: Andy Cuff: "RE: need your help about IPS and IDS,thanks"
    To: <ophir@securimine.com>
    Date: Wed, 17 Nov 2004 16:25:02 +0800
    
    

    My thesis focus on the several level protection and the IPS is the important part.But I know little on IPS and I can not distinguish the IPS and 'anomaly' detection IDS besides the inline and passive,I think the detailed technology about the two is same.Because there all bulid normal model.
    I thought to do a data mining analysis tool several days ago,but I think it is difficult to me.I am expecting the SFS,but I think maybe I can not understand how to work because I still not use the snort.I am a green hand in the IDS/IPS and I only know little:(
    ----- Original Message -----
    From: "Ophir Rachman" <ophir@securimine.com>
    To: <focus-ids@securityfocus.com>
    Sent: Wednesday, November 17, 2004 4:45 AM
    Subject: RE: need your help about IPS and IDS,thanks


    > Lily,
    > I am not sure what is you thesis focus and what exactly is the project about
    > but I happen to work in a company called Securimine which is distributing
    > SFS - a data mining analysis tool for snort (you may have a look - I will
    > love your feedback). I have some thoughts for you that might be helpful:
    > - IPS and IDS are not really different. They both monitor the systems, make
    > some decisions based on rules (these can be behavioral rules or specific
    > attacks signatures), and then decide on action.
    > - The one difference is that IDS do not support 'block' as an action while
    > IPS do. This difference implies that IPS must be positioned inline while IDS
    > can be passive.
    > - The dream of IPS is that the security system will do everything for you
    > and will make sure that everything that needs to be prevented is prevented
    > and the rest is just logged. This dream is NOT true and if I may say so,
    > will never come true (perhaps only for DDos and 'quantity oriented' attacks
    > like worms). The reality is that the best IPS systems today have 10% of
    > their ruleset marked as 'blocking' since 90% of the rules create too much
    > noise. Eliminating the noisy rules diminishes the value of the detection
    > engine and is not realistic.
    > - Without doing too much marketing, this is why we started Securimine. We
    > believe that even if you block what you can, there is still going to be tons
    > of data generated by the other rules which is important and need to be
    > analyzed. This is the true value of data mining - the ability to identify
    > the normal behavior from the data itself and alert when things out of the
    > ordinary happen.
    >
    > Hope that helps,
    > Ophir Rachman, Ph.D.
    > Securimine Software Inc.
    > ophir@securimine.com
    >
    > -----Original Message-----
    > From: Lily [mailto:xiaoche111@hotmail.com]
    > Sent: Saturday, November 13, 2004 6:53 AM
    > To: focus-ids@securityfocus.com
    > Subject: need your help about IPS and IDS,thanks
    >
    > hi,all
    > I have some questions to ask which must be simple to you I think.
    > 1.IPS must build normal model while IDS can use the abnormal
    > model(misuse detection)?If it is what's the difference between the IDS's
    > anomaly detection and IPS?
    > 2.Has someone formally use the data mining technology in the IPS?
    > 3.Besides the DoS and buffer overflow etc,has any other way be used in
    > IPS just like the users behaviour analysis?
    > 4.Why someone said IPS can not log the trace of the attacks while IDS
    > can do?I think IPS can do it easily.Maybe because IPS is in-line and log
    > the trace needing many time?
    > So depressed with the IDS/IPS and my thesis is flying in the sky:(
    > Thank you in advance.
    >
    > Lily
    >
    > ---
    > Incoming mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
    >
    >
    > ---
    > Outgoing mail is certified Virus Free.
    > Checked by AVG anti-virus system (http://www.grisoft.com).
    > Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
    >
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > --------------------------------------------------------------------------
    >
    >


  • Next message: Andy Cuff: "RE: need your help about IPS and IDS,thanks"