Intrusion Detection Systems mailing list archives

Re: Hybrid IDS

From: mark.teicher () networkice com
Date: Thu, 07 Sep 2000 16:49:43 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------

Oh yes, I am very aware of the Sandler approach.. Host based IDS is verydifferent market segment than Network Based IDS, some are good some arebad.. Real depends..


/mark

At 01:27 PM 9/7/00 -0700, Dan Nadir wrote:

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Mark, I agree with you, but the job of a "marketing" person is not toexplain packet grepping and protocol decodes to people on this list.Marketing people try to explain how a product solves a problem and/or howit is different from something that "normal people" already know. That'swhy IDS presentations always started with "you already have a firewall"and went from there by way of comparison.The term "hybrid" is being used by vendors to convey the same message. Ifyou sell IDS that monitors logs, and you sell IDS that monitors packets,then to *your customers and future customers*, a hybrid system is one thatdoes both. Not a lot of technology here.
Trying to define a term like this is only sightly easier than defining"host-based" IDS in general. ;-)Ask SymAxent, Centrax, ISS, NetworkIce, and NAI to define exactly whathost-based IDS is and what it must do at a minimum to be consideredhost-based. You'll (unfortunately) get 5 answers.
Dan



At 9/7/00 10:33 AM, mark.teicher () networkice com wrote:
I tend to agree with MJR on this space, the marketing type firms outthere don't really understand the space or the techie geekie stuff thatsome of us utter to them. The tend to grab onto the first one or twoblurbs of techie talk and that what they stick with. You try to explainthem the different between packet grepping and protocol decode, they getall glossy eyed and almost fall over from boredom.

Current thread:

Hybrid IDS Talisker (Sep 07)
- Re: Hybrid IDS Marcus J. Ranum (Sep 07)
  - Re: Hybrid IDS Talisker (Sep 07)
    - Re: Hybrid IDS Marcus J. Ranum (Sep 07)
  - Re: Hybrid IDS mark . teicher (Sep 07)
    - Re: Hybrid IDS Dan Nadir (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS Dragos Ruiu (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS John S Flowers (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS Dragos Ruiu (Sep 08)
    - Back to kernel-mode NIDS (was: Hybrid IDS) rob (Sep 16)
- <Possible follow-ups>
- RE: Hybrid IDS Martins, Fernando (Lisbon) (Sep 08)
  - RE: Hybrid IDS mht (Sep 08)
    - RE: Hybrid IDS Max Vision (Sep 12)
- RE: Hybrid IDS St. Clair, James (Sep 08)

(Thread continues...)