Intrusion Detection Systems mailing list archives

Back to kernel-mode NIDS (was: Hybrid IDS)

From: "rob" <robert_david_graham () yahoo com>
Date: Fri, 15 Sep 2000 07:53:27 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------

From: Dragos Ruiu
Yep, that was the claim that raised eyebrows... But I've read the claim
carefully now and see that it has a lot of err... wiggle room.


I tried to create no wiggle room in the results (so that others can
reproduce them), but of course their is enormous room in the interpretation.
This is clearly a "synthetic benchmark" with limited applicability to the
real world. It started out from a discussion about kernel-mode IDS, and I
really didn't want it dragged out into the public in the first place.

...sensor do if I transmit dr's IDS soloflex sequence at it...


You should think of this more as another synthetic benchmark rather than a
conclusive death knell for NIDS. Certainly, it will probably kill all NIDS.
However, there are defenses. Simply putting rate-filters on fragments
entering your network will help the NIDS (rate filtering is becoming
extremely popular). You've also got a choice of "normalizing" firewalls that
force reassembly, which helps out the NIDS behind it. Also, certain NIDS
have deployment options for installation direction on the affected hosts :-)
which can likewise help defend against this.

If you expect the NIDS to page you each time a hacker breaches your network,
then you shouldn't buy one. That isn't what NIDS do. Instead, they provide
visibility into what's happening on the network wire, catching scans,
pointing out anomalies, and hopefully triggering on the more obvious
attacks.

There, that post should put me on the IDS vendor troublemaker
lists....   :-) So are there any _real_ IDSes out there?


Troublemakers: Ghandi, Jefferson, Galileo, etc. :-)

Robert Graham
CTO, Network ICE


__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Current thread:

Re: Hybrid IDS, (continued)
- - Re: Hybrid IDS Talisker (Sep 07)
    - Re: Hybrid IDS Marcus J. Ranum (Sep 07)
  - Re: Hybrid IDS mark . teicher (Sep 07)
    - Re: Hybrid IDS Dan Nadir (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS Dragos Ruiu (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS John S Flowers (Sep 07)
    - Re: Hybrid IDS mark . teicher (Sep 08)
    - Re: Hybrid IDS Dragos Ruiu (Sep 08)
    - Back to kernel-mode NIDS (was: Hybrid IDS) rob (Sep 16)
- RE: Hybrid IDS Martins, Fernando (Lisbon) (Sep 08)
  - RE: Hybrid IDS mht (Sep 08)
    - RE: Hybrid IDS Max Vision (Sep 12)
- RE: Hybrid IDS St. Clair, James (Sep 08)
- RE: Hybrid IDS Martins, Fernando (Lisbon) (Sep 08)
  - RE: Hybrid IDS mark . teicher (Sep 08)
  - Re: Hybrid IDS nmcbss (Sep 08)
    - Re: Hybrid IDS mht (Sep 08)
    - Message not available
    - Re: Hybrid IDS mark . teicher (Sep 12)
    - Re: Hybrid IDS Talisker (Sep 12)

(Thread continues...)