IDS mailing list archives
RE: amount of alarms generated by IDS
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 11 May 2004 12:03:24 -0400
I'm a bit confused here. You're talking about inline IDS and IPS. Are you using the terms interchangably? If so, you're mistaken; putting an IDS inline does not make it an IPS. And an IDS inline shouldn't be dropping packets. I could see how the signatures could be tuned differently due to the fact that it is able to ensure that it sees everything, and that could generate fewer FPs, but aside from that I doubt there would be any difference. Keep in mind that an inline IDS does not (normally) do anything to bad traffic, while an IPS takes an active role in munging/blocking/denying such.
-----Original Message----- From: Ravishankar Ithal [mailto:ravi_ithal () yahoo com] Sent: Tuesday, May 11, 2004 12:46 AM To: Bhargav Bhikkaji; focus-ids () securityfocus com Subject: Re: amount of alarms generated by IDS "expected" is the keyword here. While promiscuous mode IDS got away with logging alarms because of FPs, inline IDS(or IPS) has more to lose. If it generates a lot of FPs and drops good packets, network usability is at stake. Third party correlation tools can't help inline IDS at all. For these reasons, the initial configs for inline IDS devices should be much more stringent and should contain high confidence signatures only. -Ravishankar Ithal
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: amount of alarms generated by IDS Alberto Gonzalez (May 03)
- <Possible follow-ups>
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
- Re: amount of alarms generated by IDS Jason Haar (May 06)
- RE: amount of alarms generated by IDS Shawn (May 06)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
- RE: amount of alarms generated by IDS Rob Shein (May 11)
- Re: amount of alarms generated by IDS Jason (May 11)
- Re: amount of alarms generated by IDS Dennis Cox (May 11)
- Re: amount of alarms generated by IDS Jason (May 13)
- Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
- RE: amount of alarms generated by IDS Frank Knobbe (May 11)
- Hi, I want to study IPS cto (May 11)
- RE: Hi, I want to study IPS Shawn (May 13)