Re: Re : Market Segmentation of IDS

[mark.teicher () networkice com]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
http://www.ticm.com/kb/faq/idsfaq.html#1.1


What is a "network intrusion detection system (NIDS)"?

An intrusion is somebody (A.K.A. "hacker" or "cracker") attempting to break 
into or misuse your system. The word "misuse" is broad, and can reflect 
something severe as stealing confidential data to
something minor such as misusing your email system for spam (though for 
many of us, that is a major issue!).

An "Intrusion Detection System (IDS)" is a system for detecting such 
intrusions. For the purposes of this FAQ, IDS can be broken down into the 
following categories:

network intrusion detection systems (NIDS) monitors packets on the network 
wire and attempts to discover if a hacker/cracker is attempting to break 
into a system (or cause a denial of serviceattack). A typical example is a 
system that watches for large number of TCP connection requests (SYN) to 
many different ports on a target machine, thus discovering if someone is 
attempting a TCP port scan. A NIDS may run either on the target machine who 
watches its own traffic (usually integrated with the stack and services 
themselves), or on an independent machine promiscuously watching all
network traffic (hub, router, probe). Note that a "network" IDS monitors 
many machines, whereas the others monitor only a single machine (the one 
they are installed on).

system integrity verifiers (SIV) monitors system files to find when a 
intruder changes them (thereby leaving behind a backdoor). The most famous 
of such systems is "Tripwire". A SIV may watch other components as well, 
such as the Windows registry and chron configuration, in order to find well 
known signatures. It may also detect when a normal user somehow acquires 
root/administrator level privleges. Many existing products in this area 
should be considered more "tools" than complete "systems": i.e. something 
like "Tripwire" detects changes in critical system components, but doesn't 
generate real-time alerts upon an intrusion.

log file monitors (LFM) monitor log files generated by network services. In 
a similar manner to NIDS, these systems look for patterns in the log files 
that suggest an intruder is attacking. A typical example would be a parser 
for HTTP server log files that looking for intruders who try well-known 
security holes, such as the "phf" attack. Example: swatch  deception 
systems (A.K.A. decoys, lures, fly-traps, honeypots) which contain 
pseudo-services whose goal is to emulate well-known holes in order to trap 
hackers.

    The Deception ToolKit
     http://www.all.net/dtk/ for an example. Also, simple tricks by 
renaming "administrator" account on NT, then setting up dummy account with 
no rights by extensive auditing can be used.  Also see 
http://www.enteract.com/~lspitz/honeypot.html


Place the IDS product you are using within the definition and you will see 
the difference between how Marketing classifies them and how the geeks 
classify them.  There is a noticeable difference..

/mark
At 10:44 AM 9/19/00 -0700, Jensenne Roculan wrote:

> Another to add to the list would be:
>
> Recourse Technologies ManTrap
> http://www.recourse.net
>
> Cheers,
>
> Jensenne Roculan
> SecurityFocus.com
> http://www.securityfocus.com
> (403) 213-3939 ext. 229
>
> On Tue, 19 Sep 2000, Mark Renfer wrote:
>
> > I don't think Personal Firewalls should be seen as IDS products
> > since their main purpose is not intrusion detection. But honey pots
> > definitely are an IDS category as outlined in the IDS FAQ. (see
> > mailing list header) So let me add the product listing of this cat.:
> >
> > Honey Pots:
> > Fred Cohen's Deception Toolkit (www.all.net/dtk)
> > Netsec SPECTER (www.specter.com)
> > NAI CyperCop Sting (www.nai.com)
> >
> >
> >