Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Intrusion Detection Systems mailing list archives

Re: kernel implementations
From: mht () clark net (mht () clark net)
Date: Sat, 22 Jul 2000 02:35:44 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Not quite. NFR has the same type of issues as their competitors do.  None 
of the current IDS applications are capable of handling a large amount of 
packets (i.e. 1,000,000 jolt2 attacks).  Most of the IDS's almost go to 
100% CPU.  Implementing NFR correctly still requires extensive knowledge of 
TCP/IP as stated in their Getting Started Guide and Advanced User's 
Guide.  NFR stills needs quite a bit of work to produce the results you 
state below.  The NFR IDA appliance is a step in the right direction.
NFR still needs a lot of improvement in the number of signatures compared 
to the other products in IDS Enterprise segment.

The point is unclear here, one does need to go to a "kernel" based IDS 
system, one just needs to learn how to design an IDS system properly from 
existing technology.
In its true form, an IDS system is a traffic data collector.
At 06:43 PM 7/21/00 -0400, Dug Song wrote:

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
On Fri, 21 Jul 2000, Robert Graham wrote:


For network-IDS, it doesn't really make sense to have a "kernel"
implementation.


who said anything about kernel mode network IDS?

i think john is just trying to expose more of the bare metal to the
application, exokernel style, with zero-copy packet sniffing.

NFR did something very similar, with excellent results.

-d.

---
http://www.monkey.org/~dugson

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]