IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: amount of alarms generated by IDS

From: "Rob Shein" <shoten () starpower net>
Date: Tue, 11 May 2004 12:03:24 -0400
I'm a bit confused here.  You're talking about inline IDS and IPS.  Are you
using the terms interchangably?  If so, you're mistaken; putting an IDS
inline does not make it an IPS.  And an IDS inline shouldn't be dropping
packets.  I could see how the signatures could be tuned differently due to
the fact that it is able to ensure that it sees everything, and that could
generate fewer FPs, but aside from that I doubt there would be any
difference.  Keep in mind that an inline IDS does not (normally) do anything
to bad traffic, while an IPS takes an active role in
munging/blocking/denying such.


-----Original Message-----
From: Ravishankar Ithal [mailto:ravi_ithal () yahoo com] 
Sent: Tuesday, May 11, 2004 12:46 AM
To: Bhargav Bhikkaji; focus-ids () securityfocus com
Subject: Re: amount of alarms generated by IDS


"expected" is the keyword here. While promiscuous mode IDS 
got away with logging alarms because of FPs, inline IDS(or 
IPS) has more to lose. If it generates a lot of FPs and drops 
good packets, network usability is at stake. Third party 
correlation tools can't help inline IDS at all. For these 
reasons, the initial configs for inline IDS devices should be 
much more stringent and should contain high confidence 
signatures only.

-Ravishankar Ithal



---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: