Re: a novice question. -reply

[stuart () SiliconDefense com (Stuart Staniford-Chen)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au

Mark.Teicher () predictive com wrote:

> The problem is that with a large policy or rule set so to speak, the rule
> set is loaded into memory causing the hardware you are working to be
> pegged at 100% Memory and CPU usage.  This is the case on most platforms,
> some CPU usage may differ among the operating system selected for the IDS

I don't think you have this part quite right.  AFAIK IDS's ship with a
few hundred to a few thousand signatures at most.  Figure 100-1000 bytes
per signature in memory, and we're talking a few MB to store the data
structures at most.  Memory for signatures shouldn't be a serious
concern.  (Memory for connection state obviously is, but that's a
different issue).  And if the IDS is having trouble keeping up speed
wise, having to load in things off disk is going to make it a whole lot
worse, not better.

The only situation where I can imagine it making sense to keep
signatures on disk and pull them into memory on demand is if you have
massive numbers of custom signatures  (like hundreds of thousands) which
are rarely used.  I haven't heard of an IDS like that - but maybe you
have?  Even then, it would almost certainly be better to let the OS
virtual memory system take care of it rather than coding the IDS to do
the management itself.

> system.  There needs to some AI built-into this pattern matching schema,
> but that is not that tough to do.

Well - actually I think it is tough to do well :-).  But us PhD geeks
are trying.

Stuart.

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart () silicondefense com
(707) 822-4588                     (707) 826-7571 (FAX)