Re: couple IDS development questions



Sorry for piping in late. If it is a new IDS project that you want to
start, have you considered working on a Host-based IPS? There is a lot
of potential in this field.

If your interests are limited to Network-based security systems, then
others on the list have already said what needs to be said.

~Z

On 16 Oct 2007 12:13:56 -0000, whilter@xxxxx <whilter@xxxxx> wrote:
Hi


Recently i'm working on a new IDS project.

As a matter a fact at the moment i'm stuck in a point where i'm supposted to decide few very important things :


1) Which language?? C/C++ with its

already implemented projects (Snort, ModSecurity), Java with its multiplatform option?


2) Should I just take a project and try to build a new one on top of it? Snort fe ? Has anybody done that before? Any suggestions?


3) How is network IDS analizing network activity when almost every package nowadays is encrypted?


4) I'm thinking about encrypting IDS messages/alerts-packages as well? What cipher should i use?


I dont want to "go in a wrong direction" from the start so please help ;]

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: IDS and NMS
    ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
    (Focus-IDS)
  • Re: "false positive" inanity
    ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
    (Focus-IDS)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
    (Security-Basics)
  • Re: Need some information on HIDS!
    ... I have already invoked such a scenario in some of my previous IDS ... What I had in mind is something like encrypting the whole ... network traffic, to prevent sniffing from intruders (let's say wall-to-wall ... analysing and displaying logs. ...
    (Focus-IDS)
  • Re: which attacks will generate false positive or false negative?
    ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...
    (Focus-IDS)