Bill,
Do you actually believe this, or did you read it off a cereal box
label ?? Just kidding..
Each IDS vendor have their own way of detecting intrusions. Particular
patten matching is simple packet grepping. More sophisticated IDS systems
use a system of packet dis-assembly and packet re-assembly.. Some of the
more interesting IDS system utilize this type of method. Which allows
those vendors to cut down on the amount of updating one has to do when new
signatures come out. NFR, Dragon Systems and some of the newer IDS systems
use the packet dis-assembly/re-assembly method versus the packet grepping
which is not really packet dis-assembly. Some IDS packages up their
signature count by having 10 different alerts for one type of event. (i.e.
BackOrifice, or Subseven, Ping of Death)
I have no idea what differential detection is, is that similiar to anomaly
detection where traffic is somewhat normalized or scrubbed before it is
analyzed. If one were to do this type of packet analysis, one would need
lots of IRON and lots of CPU since the speed of an organizations network
will slowly surpass 100Mb.
The best approach is to seek out the tool for the right job or a
combination of tools..
At 12:02 PM 8/5/00 -0600, dreamwvr wrote:
>hi Bill,
>On Fri, 04 Aug 2000, [EMAIL PROTECTED] wrote:
> > I agree hold heartedly with dreamwvr. IDS is in its infancy. One point
> > that needs to be emphasized is that network based IDS uses two primary
> > means of detecting intrustions. The most common method is pattern
> > recognition. Attacks have a particular pattern (signature) that can be
> > recognized. The problem of course is (like virus detection) the attack
> > must be known, the signature created and then distributed to the IDS
> > systems. The second method of detection is differential detection. A
> > network has certain "normal" operating parameters and when operations go
> > outside the norm then an alarm is generated. The advantage with this
> > method is that it adapts automatically. The disadvantage is that it tends
> > to generate alarms for any unusual activity whether security related or
> > not. For example, updating software on clients generates a lot of
> > traffic that the IDS sees as abnormal.
> >
> > The best approach is a combination of both methods. The reason the most
> > popular IDS products rely primarily on pattern recognition is because it
> > is the easiest to build and the easiest to sell. Dreamwvr is right about
> > the BEST never gets beyond first base and that applies to a lot of
> > products.
> >
> > -- Bill Stackpole, CISSP
>Reuters, London, February 29, 1998:
>Scientists have announced discovering a meteorite which will strike the
>earth in March, 2028. Millions of UNIX coders expressed relief for being
>spared the UNIX epoch "crisis" of 2038.
>_______________________________________________________________________
>
>************** DREAMWVR.COM - TOTAL INTERNET SERVICES ****************
> TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
> <http://www.dreamwvr.com/services/MAX_SEC.html>;
> DREAMWVR.COM - The Console of Many... 90 Topics Covered
><http://www.dreamwvr.com/dynamicduo.html>;
><mailto:[EMAIL PROTECTED]>;
>->> Open Solution Provider and North American Distributor<<-
> "===0 PGP Key Available
>*************** "As Unique as the Company You Keep."*****************
> "If anyone speaks from DREAMWVR.COM its certainly not me:-)"
>________________________________________________________________________
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
