Full Disclosure mailing list archives

Re: Suggestion for IDS

From: Valdis.Kletnieks () vt edu
Date: Wed, 28 Sep 2005 06:09:22 -0400

On Wed, 28 Sep 2005 11:48:06 +0200, Peer Janssen said:

Really? Is there no software package capable of withholding inspected 
packages until cleared by said IDS?


All depends on the inbound packet rate, how fast the IDS is, and how much RAM
you're willing to buy.  Just remember that a sufficiently long queue is in
itself a denial of service... ;)

Dropping packets, closing ports and resetting connections (besides 
logging, maybe notifying users) look like natural useful reactions to 
the detections deliverad of an IDS to me.


Just remember to configure the thing sensibly - it's amazing how many
people manage to shoot themselves in the foot, and find out the hard way
that yes, Virginia, there ARE people out there that will forge packets
with the source IP address of the victim's nameserver... ;)

Or are we just talking about definitions (regarding the "D" in IDS), 
instead of talking about IDPS-ses which the OP clearly seems to imply? 
(P for prevention)


It's *very* important to talk about definitions - there's waaay too many
people who buy an IDS and think that by hooking it to the net, it magically
becomes an IPS.

An equally great number buy some IPS or other, and find out the hard way that
they don't block a 0-day or a new worm.....

So what are the IDPS-ses you recommend?


I recommend buying one that you're able to get your brain wrapped around what
the unit *can* and *cannot* do for you.  A less functional unit that you
understand fully is a better choice than a top-of-the-line whizz-bang-3000 that
you have no clue about its actual abilities.  Quite frankly, anybody who
already has a PIX installed and wants to install an IPS needs to quantify
*exactly* what protection the PIX is failing to provide before they go shopping
for anything.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Suggestion for IDS Fajar Edisya Putera (Sep 28)
- Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
  - Re: Suggestion for IDS Peer Janssen (Sep 28)
    - Re: Suggestion for IDS Valdis . Kletnieks (Sep 28)
    - Re: Suggestion for IDS Michael Holstein (Sep 28)
    - Re: Suggestion for IDS Joel Esler (Sep 28)
- Re: Suggestion for IDS Michael Holstein (Sep 28)
  - Re: Suggestion for IDS Reto Inversini (Sep 28)
  - RE: Suggestion for IDS Randall M (Sep 29)
- Re: Suggestion for IDS Paul Schmehl (Sep 28)
  - Re: Suggestion for IDS Kevin Pawloski (Sep 28)
    - Re: Suggestion for IDS Lew Wolfgang (Sep 28)
    - IDS features (was: Suggestion for IDS) Alejandro Barrera (Sep 28)
    - Re: IDS features (was: Suggestion for IDS) Kevin Pawloski (Sep 28)

(Thread continues...)