Re: a novice question. -reply

[Mark.Teicher () predictive com (Mark.Teicher () predictive com)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
I agree with Robert on this one, the concept behind IDS is to improve the 
way a IDS application can examine a packet coming across the wire and the 
number of attack signatures it knows about.

Most of the IDS systems is going towards something like what Livingston 
Enterprise had released several years ago. Downloadable filter sets, 
instead of loading the whole signature table into memory then examining 
the packet.  The concept is to do partial patten matching (i.e just like 
type-ahead in your browser), and loads the signature table that is closely 
related.  As the IDS application recognizes the packet, and process the 
packet, applies the correct signature match, then does whatever the system 
administrator selected it should do with the particular match. (i.e. send 
something to the display, log the data, send pager, etc, etc).

URL blocking  could be handled the same way, without compromising the 
speed of an IDS system.  If you are using an IDS system looking for Bad 
URL's then one should really question your knowledge of what an IDS system 
is really used for.  URL Blocking can be handled at the ISP level, 
external router, URL blocking service, firewall  and internal router 
level, and IDS primary purpose is to alert a monitor monkey or the network 
operations folks if a particular Bad URL has gotten past the other levels 
of defense that has been setup. an IDS should not be your primary system 
checking for Bad URL's.. 

Hope this helps

IDS vendors, if you like more ideas, comments, suggestions on how to 
improve the overall IDS architecture of your particular product, feel free 
to drop me a private line and I will gladly share you my ideas in trade 
for an old fashioned 11 course home-cooked meal  -:).. 

/mht

Robert Graham <robert_david_graham () yahoo com>
Sent by: owner-ids () uow edu au
03/25/00 06:26 PM

 
        To:     "RajKumar S." <raj2569 () yahoo com>, ids () uow edu au
        cc: 
        Subject:        Re: IDS: a novice question.

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--- "RajKumar S." <raj2569 () yahoo com> wrote:
> since the performance of an IDS system can be
> improved if the number of attack signature can be reduced.

This is generally a myth: reducing the number of attack signatures will 
rarely
have any effect on purformance.

IDS is generally a decision tree. Pruning unused branches has no effect. 
For
example, if you are monitoring network traffic on your website, then 
removing
signatures for SNMP, Telnet, NFS, etc. will have impact.

Another example is consider an IDS that examins only URLs against your 
website.
In this case, you will notice a slight improvement if you can drastically
reduce the number of URLs. I say "drastic" because the complexity of IDS 
is
similar to O(logn). This is similar to a phone book: how long does it take 
you
to lookup the name "Robert Graham" in the phone books of New York City vs.
Poughkeepsie. The NYC phone book is a thousand times the size, but it 
doesn't
really take you any longer.

Similarly, reducing the number of signatures in an IDS will have no 
appreciable
affect. In any event, the IDS I work on grows in the number of signatures 
AND
speed in every release.

Robert Graham

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com