IDS mailing list archives
RE: new on IDSs
From: Omar Herrera <oherrera () prodigy net mx>
Date: Sun, 26 Jan 2003 23:31:02 -0600
Dear Vladimir, I believe that one of the biggest limitations of NIDS the need for response emulation capabilities. NIDS have to know how a particular O.S. responds to certain packets in order to act accordingly and avoid evasion and injection techniques; actually this need is not a limitation by itself but this capability is difficult to implement. Not only should they consider O.S. responses, in many cases they should also consider specific application responses (web servers for example). So, in a big company with a huge diversity of applications and configurations life won't be easy for a NIDS. I'm not sure of what investigation is taking place to reduce this other than adding a bunch of behavior signatures but I believe that for certain configurations things would be easier for a NIDS. For example, if the NIDS is in front of a firewall implementing application gateway and circuit gateway technologies, in theory, it would suffice to the NIDS to know exactly how this device handles traffic at different levels. I'm not aware of a product claiming to do this interaction with firewalls though (and you just can't have this configuration everywhere). Just some thoughts, Omar Herrera
hi all, I'm interested in NIDS and i was wondering if somebody could, please, answer these questions or give me some information (links, etc): 1.- Which are NIDS limitations, in addition of pattern-matching
inherent
limitations? 2.- Wich technologies or investigation lines are trying to minimize or even correct this limitations? 3.- What about distributed NIDS?
--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003
Current thread:
- new on IDSs Vladimir (Jan 26)
- RE: new on IDSs Omar Herrera (Jan 27)
- <Possible follow-ups>
- RE: new on IDSs Bawcom, Aaron (Jan 27)