Intrusion Detection Systems mailing list archives

RE: Hybrid IDS

From: "St. Clair, James" <JStClair () vredenburg com>
Date: Fri, 8 Sep 2000 07:13:24 -0400

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
I would add to this a presentation I heard yesterday that included the word
"Marketecture", defined as the technique marketing uses to describe the
functionality of their product.

There is now an increasing effort, at least in government which I believe is
spilling over, to set the definitions (more accurately called "criteria" for
was systems are supposed to do. Even more important, these systems are being
required through some testing procedure (their own or an independent labs)
to demonstrate that criteria is being met in conjunction with a network.

This IMHO is the road NetworkIce and ISS will follow in the future to stay
competitive as the market tries to sort out "marketecture" from documented
performance and interoperability.

James St. Clair 




-----Original Message-----
From: mark.teicher () networkice com [mailto:mark.teicher () networkice com]
Sent: Thursday, September 07, 2000 7:50 PM
To: Dan Nadir; ids () uow edu au
Subject: Re: IDS: Hybrid IDS


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
----------------------------------------------------------------------------
-
Oh yes, I am very aware of the Sandler approach.. Host based IDS is very 
different market segment than Network Based IDS, some are good some are 
bad.. Real depends..

/mark

At 01:27 PM 9/7/00 -0700, Dan Nadir wrote:

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
---------------------------------------------------------------------------

--


Mark, I agree with you, but the job of a "marketing" person is not to 
explain packet grepping and protocol decodes to people on this list. 
Marketing people try to explain how a product solves a problem and/or how 
it is different from something that "normal people" already know.  That's 
why IDS presentations always started with "you already have a firewall" 
and went from there by way of comparison.
The term "hybrid" is being used by vendors to convey the same message. If 
you sell IDS that monitors logs, and you sell IDS that monitors packets, 
then to *your customers and future customers*, a hybrid system is one that 
does both. Not a lot of technology here.

Trying to define a term like this is only sightly easier than defining 
"host-based" IDS in general. ;-)
Ask SymAxent, Centrax, ISS, NetworkIce, and NAI to define exactly what 
host-based IDS is and what it must do at a minimum to be considered 
host-based. You'll (unfortunately) get 5 answers.

Dan



At 9/7/00 10:33 AM, mark.teicher () networkice com wrote:

I tend to agree with MJR on this space, the marketing type firms out 
there don't really understand the space or the techie geekie stuff that 
some of us utter to them.  The tend to grab onto the first one or two 
blurbs of techie talk and that what they stick with.  You try to explain 
them the different between packet grepping and protocol decode, they get 
all glossy eyed and almost fall over from boredom.

Current thread:

Re: Hybrid IDS, (continued)
- - - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS Dragos Ruiu (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS John S Flowers (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS Dragos Ruiu (Sep 08)
    - Back to kernel-mode NIDS (was: Hybrid IDS) rob (Sep 16)
- RE: Hybrid IDS Martins, Fernando (Lisbon) (Sep 08)
  - RE: Hybrid IDS mht (Sep 08)
    - RE: Hybrid IDS Max Vision (Sep 12)
- RE: Hybrid IDS St. Clair, James (Sep 08)
- RE: Hybrid IDS Martins, Fernando (Lisbon) (Sep 08)
  - RE: Hybrid IDS mark . teicher (Sep 08)
  - Re: Hybrid IDS nmcbss (Sep 08)
    - Re: Hybrid IDS mht (Sep 08)
    - Message not available
    - Re: Hybrid IDS mark . teicher (Sep 12)
    - Re: Hybrid IDS Talisker (Sep 12)
    - Zone-Alarm / Personal Firewalls (was: Hybrid IDS) Greg Shipley (Sep 12)
    - Re: Zone-Alarm / Personal Firewalls (was: Hybrid IDS) Talisker (Sep 12)
- RE: Hybrid IDS Martins, Fernando (Lisbon) (Sep 08)
  - RE: Hybrid IDS mht (Sep 08)

(Thread continues...)