Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Hybrid IDS

From: mht () clark net
Date: Fri, 08 Sep 2000 08:39:05 -0700
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Actually ZoneLabs is no longer free..

Please see http://www.zonelabs.com/pressvpsales.htm

At 11:02 AM 9/8/00 +0200, Martins, Fernando (Lisbon) wrote:

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Hi2all,

John, if 148k packets/second are not enough, try 300k ... this is a kind of
test that i wonder why somebody must said at Defcon "hit me, i can handle it
...", or something like it. Or Defcon is not what i think it is, or people
motivation for tests are too low ... but i never been at Defcon so may be
i'm wrong.

Mark, if you want to test your IDS without even have to go to Defcon, pick a
big IRC network, create a # for your IDS support on-line, and tell to #
operators to go to some nasty other #'s, and say 'hit me, i can handle it
...", or something like it.

While i was trying to help Signal9 at Undernet in same kind of tests for
their ConSeal Firewall, i had not ever the need for challenging nobody,
since 'challengers' were allways around, and i was there almost 24/7 for
their amusement. And beleave me ... one day, if 300k were not enough,
somebody will use more then that and 'something' will crash ... just a
guess, but with luck you can get an 'hybrid' crash eheheh (i luv English
classes here!!).

I was betatesting BlackICE, but during the trial period i didn't have the
time for real tests. Also, i wonder why it stops working before the trial
period was over ... Without time and without the trial version i had stop
what i probably not even started, at least for real. I have not the time as
i use to, for this kind of things (like working for free while others
getting the money), but i can give a try if Xmas arrive in September this
year and i got a BlackICE copy for free =;o)

And Mark, about Zonelabs market place, yours will never be the same, since
Zonelabs have other commercial politic for home users, it's free, remember?

Kind Regards,
Fernando Martins


> -----Original Message-----
> From: John S Flowers [SMTP:jflowers () hiverworld com]
> Sent: Friday, September 08, 2000 12:29 AM
> To:   mark.teicher () networkice com
> Cc:   FOCUS-IDS () securityfocus com; ids () uow edu au
> Subject:      Re: IDS: Hybrid IDS
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> --------------------------------------------------------------------------
> ---
> Mark,
>
> I've had a message into Robert Graham and cc'd other persons for the
> last 2 weeks or so.  I've sent numerous messages commenting on the
> challenge and even replied to the document entitled "jolt2" that was
> sent by Robert to myself and others.
>
> In reference to the document - http://www.robertgraham.com/op-ed/jolt2
> -- On August 24th I said, "I like what you've written (jolt2) and think
> you should publish it."
>
> I believe that the claims made by Robert Graham are so outrageous that
> there's no real need to even validate them (see the link above, if it's
> even active).  I'm sure that everyone will see this to be the case if
> this document actually makes it to the public.
>
> Otherwise, I'm more than happy to actually run a real test against your
> IDS and see if it can sustain 148,800 packets per second and provide
> alerting/counting on the attack.
>
> This was the original claim made by Robert to the crowd at Defcon and to
> the IDS list a while ago (i.e. not the single packet against an invalid
> IP address that is mentioned in this document).  This is the claim that
> I believe Robert should stick to, not the "jolt2 test" in the document
> at the link above.
>
> I've not yet received a copy of BlackICE for the purpose of this real
> world test and I haven't heard from Robert since Aug 24th (2 weeks ago).
>
> For the record -- I've been seriously busy, but I HAVE kept in touch
> with Network ICE and Robert Graham since this claim was made.  So the
> accusation that "no one has heard from Hiverworld since" is completely
> misleading.
>
> "Teicher, Mark" wrote:
> >
> > At 10:02 AM 9/7/00 -0400, Marcus J. Ranum wrote:
> >
> > >One place where the personall firewall / IDS hybrids present an
> > >interesting challenge to clarity is in performance marketing.
> > >Since they're operating at a packet level (sort of) an unscrupulous
> > >vendor (hi! you know who you are!) could claim their performance
> > >figures in terms of packets processed/second. So the vendor could
> > >say "in recent tests, our network IDS handled 10,000,000,000
> > >packets/second!!" without mentioning clearly that this was
> > >accomplished using a single host on a switch, but the host was
> > >only looking for attacks directed at itself... Such claims have
> > >already been made - clearly deceptive, but there you have it.
> >
> > Whoa, wait a minute here, Network ICE accepted the challenge from
> > Hiverworld at DefCon, and Network ICE was ready,  No one has heard from
> > HiverWorld since.
> >
> > Ah yes, Marketing, blame NAI, Symantec and Zonelabs for re-defining the
> > market space or in other words segmenting a very infant market space.
> So
> > every vendor is attempting fit into as many market spaces as it can, in
> > order to get the largest customer base.
> >
> > >>Is there a clear cut definition out there somewhere?
> > >
> > >You're asking if marketing respects technical language? <giggle>
> > >I wish...  :(  We went through the same kind of nonsense early
> > >on in the firewall days - proxy firewalls, stateful turbo
> > >multi-whomping packet examination, etc, etc. Eventually terms
> > >settle down when the marketing folks find a set of features
> > >they can tout that don't cause people to break out in belly
> > >laughter whenever they use it.n
> >
> > I tend to agree with MJR on this space, the marketing type firms out
> there
> > don't really understand the space or the techie geekie stuff that some
> of
> > us utter to them.  The tend to grab onto the first one or two blurbs of
> > techie talk and that what they stick with.  You try to explain them the
> > different between packet grepping and protocol decode, they get all
> glossy
> > eyed and almost fall over from boredom.  The marketing type people
> layman
> > explanations that some of us can never get across to them without
> bursting
> > out laughing.. :)
> >
> > /mark
> >
> > >mjr.
> > >-----
> > >Marcus J. Ranum
> > >Chief Technology Officer, Network Flight Recorder, Inc.
> > >Work:                  http://www.nfr.net
> > >Personal:              http://www.ranum.com
>
> --
> John S Flowers                <jflowers () hiverworld com>
> Chief Scientist              http://www.hiverworld.com
> 510.848.0740 x 724 [Office]         510.841.2447 [Fax]
Previous By Date Next
Previous By Thread Next

Current thread: