"Zow" Terry Brugger wrote: > Unless it is a transparent application proxy,
Given. Still, it works at the application layer, otherwise it is a cunningly-renamed stateful firewall which performs deep inspection. > Unless it is an IPS, in which case In which case it is not an IDS, and thus not in scope with the original question :) > The difference I'd see is that network IDS/IPS devices typically look > for specific signatures (sequences of bytes, regular expressions, > certain flags set in the headers, etc) on a session (TCP, UDP, ICMP) > or network (IP) level packet. Counterexamples: Arbor, Lancope > Most can do some degree of session > reassembily, but only in so far as to catch signatures which are > divided across multiple packets. I'm pretty sure that Martin Roesch, if he reads, will have something to say here :) -- Cordiali saluti, Ing. Stefano Zanero, PhD CTO & Co-Founder Secure Network S.r.l. Via Venezia, 23 - 20099 Sesto San Giovanni (MI) Phone: +39 02.24126788 Fax: +39 02.24126789 email: [EMAIL PROTECTED] web: www.securenetwork.it ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
