Intrusion Detection Systems mailing list archives

Re: IDS Comparison

From: robert_david_graham () yahoo com (Robert Graham)
Date: Sat, 4 Mar 2000 17:16:36 -0800 (PST)



--- Jackie Chan <blue0ne () igloo org> wrote:

Robert,
      You give the impression that Realsecure wont even alert you to
what is going on when an attacker (Why must we still call them hackers
when we know this is wrong) uses fragrouter.  The truth is that
RealSecure WILL alert that Fragmented packets are going through, from
what source, and to what destination.  It is true that it will not tell
you specifically what the attack was, but lets not confuse users into
beliving that they will have no idea as to what is happening.  Oh and by
the way, I dont work for a vendor, so my opinion is totally unbiased.


This is my point: RealSecure does very little protocol analysis. It doesn't
truely understand the protocols going through the box, but instead just looks
for a few patterns in the frames.

It can see that packets are fragmented, but it doesn't know why. It doesn't
really know why anything happens. Packets are fragmented for other reasons.
This leads to the problem of false positives. I've heard over and over that
RealSecure collapses under the load of false positives. I've even had customers
call us worrying that BlackICE wasn't working because they plugged in our box
next to RealSecure and it was going off like mad, but BlackICE wasn't
triggering anything. This was because there was no intrusion to detect. As soon
as they started doing test intrusions, BlackICE caught them.

In contrast, BlackICE does full 7-layer stateful protocol analysis. When it
triggers an alert, it does so from a fairly complete understanding of the
protocol operations. There are still false positives, but dramatically fewer.

My point is, and I'm sure that RealSecure is a toy. It isn't a serious IDS like
Dragon/NFR/BlackICE. It is certainly polished UI and has lots of marketing
behind it, but it isn't very sophisticated. But which would you rather have: a
polished UI on a system that doesn't detect intrusions well, or a system that
catches hackers?

Rob.
Network ICE

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Current thread:

Re: disadvantages and advantages, (continued)
- - - Re: disadvantages and advantages bbradd () olg com (Mar 06)
    - Re: IDS Comparison Greg Shipley (Mar 05)
- Re: IDS Comparison Paul_J_Bielefeldt () notes tcs treas gov (Mar 02)
  - Re: IDS Comparison John Rezabek (Mar 03)
- Re: IDS Comparison Robert Graham (Mar 03)
  - Re: IDS Comparison Jackie Chan (Mar 04)
    - Re: IDS Comparison Marcus J. Ranum (Mar 04)
    - Re: IDS Comparison Greg Shipley (Mar 05)
  - Re: IDS Comparison Marcus J. Ranum (Mar 04)
    - Re: IDS Comparison Jackie Chan (Mar 04)
- Re: IDS Comparison Robert Graham (Mar 04)
  - Re: IDS Comparison Jackie Chan (Mar 04)
  - Re: IDS Comparison Misha (Mar 05)
- Re: IDS Comparison Robert Graham (Mar 04)
- Re: IDS Comparison Carric Dooley (Mar 04)
- Re: IDS Comparison flynngn () jmu edu (Mar 05)
- Re: IDS Comparison John S Flowers (Mar 05)
  - Re: IDS Comparison Marcus J. Ranum (Mar 05)
    - Re: IDS Comparison Martin Roesch (Mar 05)
  - Re: IDS Comparison Ron Gula (Mar 06)
    - Re: IDS Comparison Martin Roesch (Mar 06)

(Thread continues...)