IDS mailing list archives
RE: IDS evaluations procedures
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 22 Jul 2005 16:38:35 -0500
On Sat, 2005-07-16 at 12:42 -0400, Nathan Davidson wrote:
To make things easier to compare let us say that the IPS and IDS have the SAME signatures/policy and they both identify all of the malicious traffic: The IPS will create 10 alerts/sec The IDS will create 100 alerts/sec
Uhm... then the IDS is not configured properly. IPSes seem to filter proactively, that means based on assumptions. It assumes that your server is vulnerable against xyz and blocks it. But the server doesn't have to be vulnerable. You can deploy an IDS as an ADS, that is, Attack Detection System. As such it would alert on every xyz packet that look suspicious and which the IDS thinks may cause harm to your server. But you can also deploy an IDS as an ...well... Intrusion Detection System. Configured like that, it doesn't make assumptions and doesn't care if it sees xyz hitting the server. It cares what the server responds with to xyz. If it detects an abnormal response, or outright hostile traffic (i.e. signature of a botnet c&c channel join), then it issues an alert, and only then. Given that, the math is as follows: ADS: 100 alerts /sec IPS: 10 alerts /sec IDS: 1 alert /incident I think the IDS has a much higher security ROI (oops, I said the evil word) than an IPS. The IPS is a broad-sword. The IDS, properly deploy and managed, is a sensitive detector, not a noisy alarm bell. It doesn't alert on every thrust of a sword, it only alerts when you bleed. Regards, Frank PS: I sometimes wonder if the I-have-more-alerts-than-you-stick-waving in the IDS market contributed to the misuse of IDS systems....
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Firewalls (was Re: IDS evaluations procedures), (continued)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: IDS evaluations procedures Jason (Jul 18)
- RE: IDS evaluations procedures Frank Knobbe (Jul 22)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 21)
- Re: IDS evaluations procedures Richard Bejtlich (Jul 22)