IDS mailing list archives

RE: new on IDSs


From: Omar Herrera <oherrera () prodigy net mx>
Date: Sun, 26 Jan 2003 23:31:02 -0600

Dear Vladimir,

I believe that one of the biggest limitations of NIDS the need for
response emulation capabilities. NIDS have to know how a particular O.S.
responds to certain packets in order to act accordingly and avoid
evasion and injection techniques; actually this need is not a limitation
by itself but this capability is difficult to implement.

Not only should they consider O.S. responses, in many cases they should
also consider specific application responses (web servers for example).
So, in a big company with a huge diversity of applications and
configurations life won't be easy for a NIDS.

I'm not sure of what investigation is taking place to reduce this other
than adding a bunch of behavior signatures but I believe that for
certain configurations things would be easier for a NIDS.

For example, if the NIDS is in front of a firewall implementing
application gateway and circuit gateway technologies, in theory, it
would suffice to the NIDS to know exactly how this device handles
traffic at different levels. I'm not aware of a product claiming to do
this interaction with firewalls though (and you just can't have this
configuration everywhere).

Just some thoughts,

Omar Herrera


hi all,

I'm interested in NIDS and i was wondering if somebody could, please,
answer
these questions or give me some information (links, etc):

1.- Which are NIDS limitations, in addition of pattern-matching
inherent
limitations?

2.- Wich technologies or investigation lines are trying to minimize or
even
correct this limitations?

3.- What about distributed NIDS?

 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003
 


Current thread: