Re: Recording slow scans

[Bennett Todd <bet () mordor net>]

1998-10-10-14:48:33 Darren Reed:
> Couple of problems here...
> (1) potential loss of revenue for X companies which make IDS products;

I'm sorry, but I just don't see that as a problem.

Right now it looks like the most actively-developed and researched IDS is
NFR, but NFR has gotten backed into a kind of icky pickle; while people are
encouraged to play with it, as soon as they try using it they discover it
can't keep up with a busy net, and are told to buy the commercial one, as it
is apparently faster --- enough so to be useable.

> (2) significant kernel bloat and subsequent requirements for machines;
> (3) all IDS solutions are part-kernel, part-user programs;

Sure --- but I think the point was to shove enough of the screening decision
logic down to the bottom of the stack to help performance, is all. As for
kernel bloat, if the bloat's too bad, why then don't use it, I don't expect to
see this kind of goo included by default until and unless people start using
it really widely.

> (4) you have to convince the right people that it is worrthwhile (and
>     they might (rightly) say "use NFR" or some such).

"use NFR" is only an option if (a) you don't need to track a busy net, or (b)
you don't care about open source. Some of us do care about open source.

-Bennett