RE: Hybrid IDS

["Martins, Fernando (Lisbon)" <FMartins () pt imshealth com>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Hi2all

Copied and pasted from the provided link:
"Zone Labs has revolutionized personal Internet security with ZoneAlarm,
which is free for personal and non-profit use"
Also you can take a look at ...
http://www.zonelabs.com/zafreedownload.htm

And also i beleave this will take you to your free copy:
http://hotfiles.zdnet.com/cgi-bin/texis/swlib/hotfiles/downloading.html?Disp
Category=Internet&DispSubcategory=Internet+Tools&DispTitle=ZoneAlarm&refresh
_url=ftp%3A%2F%2Fzdftp%2Ezdnet%2Ecom%2Fpub%2Fprivate%2FsWlIB%2Finternet%2Fin
ternet%5Ftools%2Fzonalarm%2Eexe&Fcode=0015P7&Category=internet&Subcategory=i
nternet%5Ftools&b=zonealarm

What is not free is the new ZoneAlarm Pro, not the ZoneAlarm 2.1 witch is
still free for personal and non-profit use.

Kind Regards,

Fernando Martins

> -----Original Message-----
> From: mht () clark net [SMTP:mht () clark net]
> Sent: Friday, September 08, 2000 4:39 PM
> To:   Martins, Fernando (Lisbon); ids () uow edu au
> Subject:      RE: IDS: Hybrid IDS
>
> Actually ZoneLabs is no longer free..
>
> Please see http://www.zonelabs.com/pressvpsales.htm
>
> At 11:02 AM 9/8/00 +0200, Martins, Fernando (Lisbon) wrote:
> > Archive: http://msgs.securepoint.com/ids
> > FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> > IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > HELP: Having problems... email questions to ids-owner () uow edu au
> > NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> > SPAM: DO NOT send unsolicted mail to this list.
> > UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> > -------------------------------------------------------------------------
> ----
> > Hi2all,
> >
> > John, if 148k packets/second are not enough, try 300k ... this is a kind
> of
> > test that i wonder why somebody must said at Defcon "hit me, i can handle
> it
> > ...", or something like it. Or Defcon is not what i think it is, or
> people
> > motivation for tests are too low ... but i never been at Defcon so may be
> > i'm wrong.
> >
> > Mark, if you want to test your IDS without even have to go to Defcon,
> pick a
> > big IRC network, create a # for your IDS support on-line, and tell to #
> > operators to go to some nasty other #'s, and say 'hit me, i can handle it
> > ...", or something like it.
> >
> > While i was trying to help Signal9 at Undernet in same kind of tests for
> > their ConSeal Firewall, i had not ever the need for challenging nobody,
> > since 'challengers' were allways around, and i was there almost 24/7 for
> > their amusement. And beleave me ... one day, if 300k were not enough,
> > somebody will use more then that and 'something' will crash ... just a
> > guess, but with luck you can get an 'hybrid' crash eheheh (i luv English
> > classes here!!).
> >
> > I was betatesting BlackICE, but during the trial period i didn't have the
> > time for real tests. Also, i wonder why it stops working before the trial
> > period was over ... Without time and without the trial version i had stop
> > what i probably not even started, at least for real. I have not the time
> as
> > i use to, for this kind of things (like working for free while others
> > getting the money), but i can give a try if Xmas arrive in September this
> > year and i got a BlackICE copy for free =;o)
> >
> > And Mark, about Zonelabs market place, yours will never be the same,
> since
> > Zonelabs have other commercial politic for home users, it's free,
> remember?
> > Kind Regards,
> > Fernando Martins
> >
> >
> > > -----Original Message-----
> > > From: John S Flowers [SMTP:jflowers () hiverworld com]
> > > Sent: Friday, September 08, 2000 12:29 AM
> > > To:   mark.teicher () networkice com
> > > Cc:   FOCUS-IDS () securityfocus com; ids () uow edu au
> > > Subject:      Re: IDS: Hybrid IDS
> > >
> > > Archive: http://msgs.securepoint.com/ids
> > > FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> > > IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > > HELP: Having problems... email questions to ids-owner () uow edu au
> > > NOTE: Remove this section from reply msgs otherwise the msg will
> bounce.
> > > SPAM: DO NOT send unsolicted mail to this list.
> > > UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------------------
> > > ---
> > > Mark,
> > >
> > > I've had a message into Robert Graham and cc'd other persons for the
> > > last 2 weeks or so.  I've sent numerous messages commenting on the
> > > challenge and even replied to the document entitled "jolt2" that was
> > > sent by Robert to myself and others.
> > >
> > > In reference to the document - http://www.robertgraham.com/op-ed/jolt2
> > > -- On August 24th I said, "I like what you've written (jolt2) and
> think
> > > you should publish it."
> > >
> > > I believe that the claims made by Robert Graham are so outrageous that
> > > there's no real need to even validate them (see the link above, if
> it's
> > > even active).  I'm sure that everyone will see this to be the case if
> > > this document actually makes it to the public.
> > >
> > > Otherwise, I'm more than happy to actually run a real test against
> your
> > > IDS and see if it can sustain 148,800 packets per second and provide
> > > alerting/counting on the attack.
> > >
> > > This was the original claim made by Robert to the crowd at Defcon and
> to
> > > the IDS list a while ago (i.e. not the single packet against an
> invalid
> > > IP address that is mentioned in this document).  This is the claim
> that
> > > I believe Robert should stick to, not the "jolt2 test" in the document
> > > at the link above.
> > >
> > > I've not yet received a copy of BlackICE for the purpose of this real
> > > world test and I haven't heard from Robert since Aug 24th (2 weeks
> ago).
> > > For the record -- I've been seriously busy, but I HAVE kept in touch
> > > with Network ICE and Robert Graham since this claim was made.  So the
> > > accusation that "no one has heard from Hiverworld since" is completely
> > > misleading.
> > >
> > > "Teicher, Mark" wrote:
> > > > At 10:02 AM 9/7/00 -0400, Marcus J. Ranum wrote:
> > > >
> > > > > One place where the personall firewall / IDS hybrids present an
> > > > > interesting challenge to clarity is in performance marketing.
> > > > > Since they're operating at a packet level (sort of) an unscrupulous
> > > > > vendor (hi! you know who you are!) could claim their performance
> > > > > figures in terms of packets processed/second. So the vendor could
> > > > > say "in recent tests, our network IDS handled 10,000,000,000
> > > > > packets/second!!" without mentioning clearly that this was
> > > > > accomplished using a single host on a switch, but the host was
> > > > > only looking for attacks directed at itself... Such claims have
> > > > > already been made - clearly deceptive, but there you have it.
> > > >
> > > > Whoa, wait a minute here, Network ICE accepted the challenge from
> > > > Hiverworld at DefCon, and Network ICE was ready,  No one has heard
> from
> > > > HiverWorld since.
> > > >
> > > > Ah yes, Marketing, blame NAI, Symantec and Zonelabs for re-defining
> the
> > > > market space or in other words segmenting a very infant market
> space.
> > > So
> > > > every vendor is attempting fit into as many market spaces as it can,
> in
> > > > order to get the largest customer base.
> > > >
> > > > > > Is there a clear cut definition out there somewhere?
> > > > >
> > > > > You're asking if marketing respects technical language? <giggle>
> > > > > I wish...  :(  We went through the same kind of nonsense early
> > > > > on in the firewall days - proxy firewalls, stateful turbo
> > > > > multi-whomping packet examination, etc, etc. Eventually terms
> > > > > settle down when the marketing folks find a set of features
> > > > > they can tout that don't cause people to break out in belly
> > > > > laughter whenever they use it.n
> > > >
> > > > I tend to agree with MJR on this space, the marketing type firms out
> > > there
> > > > don't really understand the space or the techie geekie stuff that
> some
> > > of
> > > > us utter to them.  The tend to grab onto the first one or two blurbs
> of
> > > > techie talk and that what they stick with.  You try to explain them
> the
> > > > different between packet grepping and protocol decode, they get all
> > > glossy
> > > > eyed and almost fall over from boredom.  The marketing type people
> > > layman
> > > > explanations that some of us can never get across to them without
> > > bursting
> > > > out laughing.. :)
> > > >
> > > > /mark
> > > >
> > > > > mjr.
> > > > > -----
> > > > > Marcus J. Ranum
> > > > > Chief Technology Officer, Network Flight Recorder, Inc.
> > > > > Work:                  http://www.nfr.net
> > > > > Personal:              http://www.ranum.com
> > >
> > > --
> > > John S Flowers                <jflowers () hiverworld com>
> > > Chief Scientist              http://www.hiverworld.com
> > > 510.848.0740 x 724 [Office]         510.841.2447 [Fax]