Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Intrusion Detection Systems mailing list archives

Re: kernel implementations
From: dugsong () monkey org (Dug Song)
Date: Sat, 22 Jul 2000 07:22:45 -0400 (EDT)

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
On Sat, 22 Jul 2000 mht () clark net wrote:


None of the current IDS applications are capable of handling a large
amount of packets (i.e. 1,000,000 jolt2 attacks). Most of the IDS's
almost go to 100% CPU.


oh please. no IDS in the world, network-based or otherwise, will perform
the kind of alert compression needed to handle a sustained flood of
attacks, much less the receiver lock in processing them. that isn't what
the hiverworld folks were talking about at all, or what the NFR guys
implemented - they're just looking to reduce memory copies internally,
nothing more. using a NIC with working DMA will also help in this regard.


NFR still needs a lot of improvement in the number of signatures
compared to the other products in IDS Enterprise segment.


you've been brainwashed by vendors playing the IDS-by-numbers game.


The point is unclear here, one does need to go to a "kernel" based IDS
system, one just needs to learn how to design an IDS system properly
from existing technology.


NFR published a decent paper on the subject at USENIX LISA 1997 - do you
have something better? please explain your insistence on a "kernel-based"
IDS, and its salient difference from existing systems - i don't get it.


In its true form, an IDS system is a traffic data collector.


at CITI, we're working on a updated version of our "packet vault" - what
i'd always imagined the NFR to be, a black box that simply records ALL
traffic on the network for later analysis. the cryptographic organization
of the saved data enforces our local policy on the disclosure of evidence:

http://www.citi.umich.edu/techreports/reports/citi-tr-98-5-usenix.ps.gz

this kind of application definitely requires the kind of optimizations
discussed earlier (zero-copy packet handling), as well as some that
haven't (kernel support for hardware crypto acceleration, as in OpenBSD,
etc.). but i don't really consider this to be IDS per se, just raw data
collection for post-mortem forensics...

-d.

http://www.monkey.org/~dugsong/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]