need your help about IPS and IDS,thanks

From: Zhuowei Li (zhuowei_at_gmail.com)
Date: 11/18/04

  • Next message: Tom: "parsing very large tcpdump files" 
    Date: Thu, 18 Nov 2004 17:29:08 +0800
To: focus-ids@securityfocus.com

    Hi,

    In my mind, the IPS system will be included in the IDS system. their
    detection capability can be actually the same technique. The only
    difference is whether there is response component in the IDS system. I
    am doing research on anomaly detection but found that it is applicable
    to IPS as well considering some specific requirements as you said,
    inline, proactive/passive, realtime etc.

    For a more useful information about IPS, please proceed to the earlier
    poster posted by Maarten, or alternatively, you can go to
    http://usaid.blogspot.com/2004/09/intrusion-prevention-systems-excerpted.html
    for it.

    Rgds!
    Li

    On Wed, 17 Nov 2004 16:25:02 +0800, Lily <xiaoche111@hotmail.com> wrote:
    > My thesis focus on the several level protection and the IPS is the important part.But I know little on IPS and I can not distinguish the IPS and 'anomaly' detection IDS besides the inline and passive,I think the detailed technology about the two is same.Because there all bulid normal model.
    > I thought to do a data mining analysis tool several days ago,but I think it is difficult to me.I am expecting the SFS,but I think maybe I can not understand how to work because I still not use the snort.I am a green hand in the IDS/IPS and I only know little:(
    >
    >
    > ----- Original Message -----
    > From: "Ophir Rachman" <ophir@securimine.com>
    > To: <focus-ids@securityfocus.com>
    > Sent: Wednesday, November 17, 2004 4:45 AM
    > Subject: RE: need your help about IPS and IDS,thanks
    >
    > > Lily,
    > > I am not sure what is you thesis focus and what exactly is the project about
    > > but I happen to work in a company called Securimine which is distributing
    > > SFS - a data mining analysis tool for snort (you may have a look - I will
    > > love your feedback). I have some thoughts for you that might be helpful:
    > > - IPS and IDS are not really different. They both monitor the systems, make
    > > some decisions based on rules (these can be behavioral rules or specific
    > > attacks signatures), and then decide on action.
    > > - The one difference is that IDS do not support 'block' as an action while
    > > IPS do. This difference implies that IPS must be positioned inline while IDS
    > > can be passive.
    > > - The dream of IPS is that the security system will do everything for you
    > > and will make sure that everything that needs to be prevented is prevented
    > > and the rest is just logged. This dream is NOT true and if I may say so,
    > > will never come true (perhaps only for DDos and 'quantity oriented' attacks
    > > like worms). The reality is that the best IPS systems today have 10% of
    > > their ruleset marked as 'blocking' since 90% of the rules create too much
    > > noise. Eliminating the noisy rules diminishes the value of the detection
    > > engine and is not realistic.
    > > - Without doing too much marketing, this is why we started Securimine. We
    > > believe that even if you block what you can, there is still going to be tons
    > > of data generated by the other rules which is important and need to be
    > > analyzed. This is the true value of data mining - the ability to identify
    > > the normal behavior from the data itself and alert when things out of the
    > > ordinary happen.
    > >
    > > Hope that helps,
    > > Ophir Rachman, Ph.D.
    > > Securimine Software Inc.
    > > ophir@securimine.com
    > >
    > > -----Original Message-----
    > > From: Lily [mailto:xiaoche111@hotmail.com]
    > > Sent: Saturday, November 13, 2004 6:53 AM
    > > To: focus-ids@securityfocus.com
    > > Subject: need your help about IPS and IDS,thanks
    > >
    > > hi,all
    > > I have some questions to ask which must be simple to you I think.
    > > 1.IPS must build normal model while IDS can use the abnormal
    > > model(misuse detection)?If it is what's the difference between the IDS's
    > > anomaly detection and IPS?
    > > 2.Has someone formally use the data mining technology in the IPS?
    > > 3.Besides the DoS and buffer overflow etc,has any other way be used in
    > > IPS just like the users behaviour analysis?
    > > 4.Why someone said IPS can not log the trace of the attacks while IDS
    > > can do?I think IPS can do it easily.Maybe because IPS is in-line and log
    > > the trace needing many time?
    > > So depressed with the IDS/IPS and my thesis is flying in the sky:(
    > > Thank you in advance.
    > >
    > > Lily
    > >
    > > ---
    > > Incoming mail is certified Virus Free.
    > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
    > >
    > >
    > > ---
    > > Outgoing mail is certified Virus Free.
    > > Checked by AVG anti-virus system (http://www.grisoft.com).
    > > Version: 6.0.797 / Virus Database: 541 - Release Date: 11/15/2004
    > >
    > >
    > >
    > > --------------------------------------------------------------------------
    > > Test Your IDS
    > >
    > > Is your IDS deployed correctly?
    > > Find out quickly and easily by testing it with real-world attacks from
    > > CORE IMPACT.
    > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > > to learn more.
    > > --------------------------------------------------------------------------
    > >
    > > 

    --
Regards!
Sincerely yours,
Li Zhuowei
-----------------------------------------------------------------------------
Ph.D. candidate
Email: zhwei.li@pmail.ntu.edu.sg
More: http://www.cais.ntu.edu.sg/~zhuowei
-- 
Regards!
Sincerely yours,
Li Zhuowei
-----------------------------------------------------------------------------
Ph.D. candidate
Email: zhwei.li@pmail.ntu.edu.sg                           
More: http://www.cais.ntu.edu.sg/~zhuowei
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Tom: "parsing very large tcpdump files"

    Relevant Pages

    • RE: Hi, I want to study IPS
      ... >>of systems to pull everything together into an IDS solution. ... you are right that some IPS products use similar techniques as ... technologies in attack detection. ... capabilities, and so have less false positives, which is not true. ...
      (Focus-IDS)
    • RE: need your help about IPS and IDS,thanks
      ... I think of IPS as IDS with the ability to take action. ... attack you are probably better off. ... intro to IDS and the detection techniques referred to above, ...
      (Focus-IDS)
    • Re: Alarm response strategies
      ... you seen an IPS device that doesn't do "detection only", ... Most people implement IPS in stages. ... adjust to using IPS strategies vs IDS strategies. ... you can have reactive systems. ...
      (Focus-IDS)
    • Re: Wishlist for IPS Products
      ... I agree with you on the acurate detection base and current vendors, ... IPS, of which you can enable only 200 confidently to block = 200 IPS ... signatures and 1000 IDS signatures. ... >> I have seen a lot of discussion about the differences between IDS, ...
      (Focus-IDS)
    • RE: Recent Gartner IDS/IPS report
      ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
      (Focus-IDS)
    • Quantcast