Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Intrusion Detection Systems: Re: Hybrid IDS

Re: Hybrid IDS

From: <mark.teicher_at_networkice.com>
Date: Thu, 07 Sep 2000 16:56:55 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner_at_uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
-----------------------------------------------------------------------------
John,

OK, I retract my statement regarding not hearing from HiverWorld. I know
for a fact I left a few messages on your voicemail and did not hear back
from either yourself or Patrick Heim.. Did speak with someone female
regarding that you were in meetings all day.. :) I have forwarded your
reply to Rob, and hopefully we can coordinate the arrangement of the test
this time, I am making no promises, since we are approaching some heavy
deadlines.. :)

John, call me when you have time so that we can make sure the coordination
effort happens.

/mark

At 04:29 PM 9/7/00 -0700, John S Flowers wrote:
>Mark,
>
>I've had a message into Robert Graham and cc'd other persons for the
>last 2 weeks or so. I've sent numerous messages commenting on the
>challenge and even replied to the document entitled "jolt2" that was
>sent by Robert to myself and others.
>
>In reference to the document - http://www.robertgraham.com/op-ed/jolt2
>-- On August 24th I said, "I like what you've written (jolt2) and think
>you should publish it."
>
>I believe that the claims made by Robert Graham are so outrageous that
>there's no real need to even validate them (see the link above, if it's
>even active). I'm sure that everyone will see this to be the case if
>this document actually makes it to the public.
>
>Otherwise, I'm more than happy to actually run a real test against your
>IDS and see if it can sustain 148,800 packets per second and provide
>alerting/counting on the attack.
>
>This was the original claim made by Robert to the crowd at Defcon and to
>the IDS list a while ago (i.e. not the single packet against an invalid
>IP address that is mentioned in this document). This is the claim that
>I believe Robert should stick to, not the "jolt2 test" in the document
>at the link above.
>
>I've not yet received a copy of BlackICE for the purpose of this real
>world test and I haven't heard from Robert since Aug 24th (2 weeks ago).
>
>For the record -- I've been seriously busy, but I HAVE kept in touch
>with Network ICE and Robert Graham since this claim was made. So the
>accusation that "no one has heard from Hiverworld since" is completely
>misleading.
>
>"Teicher, Mark" wrote:
> >
> > At 10:02 AM 9/7/00 -0400, Marcus J. Ranum wrote:
> >
> > >One place where the personall firewall / IDS hybrids present an
> > >interesting challenge to clarity is in performance marketing.
> > >Since they're operating at a packet level (sort of) an unscrupulous
> > >vendor (hi! you know who you are!) could claim their performance
> > >figures in terms of packets processed/second. So the vendor could
> > >say "in recent tests, our network IDS handled 10,000,000,000
> > >packets/second!!" without mentioning clearly that this was
> > >accomplished using a single host on a switch, but the host was
> > >only looking for attacks directed at itself... Such claims have
> > >already been made - clearly deceptive, but there you have it.
> >
> > Whoa, wait a minute here, Network ICE accepted the challenge from
> > Hiverworld at DefCon, and Network ICE was ready, No one has heard from
> > HiverWorld since.
> >
> > Ah yes, Marketing, blame NAI, Symantec and Zonelabs for re-defining the
> > market space or in other words segmenting a very infant market space. So
> > every vendor is attempting fit into as many market spaces as it can, in
> > order to get the largest customer base.
> >
> > >>Is there a clear cut definition out there somewhere?
> > >
> > >You're asking if marketing respects technical language? <giggle>
> > >I wish... :( We went through the same kind of nonsense early
> > >on in the firewall days - proxy firewalls, stateful turbo
> > >multi-whomping packet examination, etc, etc. Eventually terms
> > >settle down when the marketing folks find a set of features
> > >they can tout that don't cause people to break out in belly
> > >laughter whenever they use it.n
> >
> > I tend to agree with MJR on this space, the marketing type firms out there
> > don't really understand the space or the techie geekie stuff that some of
> > us utter to them. The tend to grab onto the first one or two blurbs of
> > techie talk and that what they stick with. You try to explain them the
> > different between packet grepping and protocol decode, they get all glossy
> > eyed and almost fall over from boredom. The marketing type people layman
> > explanations that some of us can never get across to them without bursting
> > out laughing.. :)
> >
> > /mark
> >
> > >mjr.
> > >-----
> > >Marcus J. Ranum
> > >Chief Technology Officer, Network Flight Recorder, Inc.
> > >Work: http://www.nfr.net
> > >Personal: http://www.ranum.com
>
>--
>John S Flowers <jflowers_at_hiverworld.com>
>Chief Scientist http://www.hiverworld.com
>510.848.0740 x 724 [Office] 510.841.2447 [Fax]
Received on Sep 08 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]