IDS mailing list archives
RE: need your help about IPS and IDS,thanks
From: "Chris Petersen" <chris.petersen () security-conscious com>
Date: Thu, 18 Nov 2004 09:37:30 -0700
Lily, I think of IPS as IDS with the ability to take action. Both IPS and IDS have techniques for detecting malicious activity and most commercial products use a combination: Network I(P/D)S - Packet signature analysis - Protocol analysis - Session analysis Host I(P/D)S - System call analysis - Binary behavior analysis (e.g., is IIS.exe accessing an unauthorized file/directory) - Automated Log analysis - File integrity monitoring Regardless of whether the product is an IPS or IDS, it is going to detect malicious activity via one or more of the aformentioned techniques. The difference with IPS is that once malicious activity is detected, the IPS has the ability to take action where this action might be: Network IPS - Terminate IP connection (if sitting in-line) - Send TCP Reset (if killing TCP session and not sitting in-line) - Send ICMP unreachable (if killing UDP session and not sitting in-line)(if my memory serves) Host IPS - Block system call - Block access - Terminate Process What one has to weigh are the pro's/con's of each. As Eric mentioned in his post, if you kill a session, you can't continue to collect data on that session, however, the session is killed so if it was actually an attack you are probably better off. In talking to users of IPS, they typically use the product as an IDS first (just detect stuff) and then begin to turn on IPS actions as they determine the reliability of its detection capabilities. Personally, I see value in both. Use an IPS to prevent what can reliably be prevented, use an IDS (or the IPS in IDS-only mode) to detect the more difficult to prevent attacks and collect additional forensic data. Now what you with all that data is another question (and why I built LogRhythm ;-). There are a couple of papers I wrote that might be of help, one is an intro to IDS and the detection techniques referred to above, the other is a brief statement on IPS. You can find them on the literature page at www.logrhythm.com. Cheers and good luck, Chris Petersen CTO, Security Conscious, Inc. -----Original Message----- From: Lily [mailto:xiaoche111 () hotmail com] Sent: Wednesday, November 17, 2004 2:39 AM To: Eric McCarty Cc: focus-ids () securityfocus com Subject: Re: need your help about IPS and IDS,thanks Thanks for your reply.But I still some question about it: 1.I see 'HIPS creates a baseline of normal activity' and 'NIPS to perform pattern-matching between what is known as an attack and the traffic that is traversing the network' in the Web of Vigilar. If the meaning of these two sentences is HIPS can only build the normal model to detect while NIPS can use the pattern matching as the IDS? 2. If the 'IPS just knows its an attack which needs to be blocked/dropped/reset',what's the meaning of log the traffic?I think the logs is no meaning because of the integrity.These type logs can not distinguish any known attack. 3.I am puzzling what technology is used of IDS by IPS? ----- Original Message ----- From: "Eric McCarty" <eric () piteduncan com> To: "Lily" <xiaoche111 () hotmail com>; <focus-ids () securityfocus com> Sent: Wednesday, November 17, 2004 1:00 AM Subject: RE: need your help about IPS and IDS,thanks Responses Inline : 1.IPS must build normal model while IDS can use the abnormal model(misuse detection)?If it is what's the difference between the IDS's anomaly detection and IPS? IDS can watch the whole session and figure out whats just happened. IPS must know long before the session is finished in order to Prevent anything from happening. 4.Why someone said IPS can not log the trace of the attacks while IDS can do?I think IPS can do it easily.Maybe because IPS is in-line and log the trace needing many time? The IPS would see the same packets any IDS would, the difference is that once the IPS figured out the traffic is malicious it takes action. Thus the IPS log would be up to the point of action being taken, so an IDS may see the entire flow of traffic and more acurately match the traffic to a signature of a known attack while the IPS just knows its an attack which needs to be blocked/dropped/rset. So depressed with the IDS/IPS and my thesis is flying in the sky:( Thank you in advance. I had this great apricot beer the other day, I highly recommend it. Lily ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- need your help about IPS and IDS,thanks Lily (Nov 16)
- RE: need your help about IPS and IDS,thanks Andy Cuff (Nov 17)
- <Possible follow-ups>
- RE: need your help about IPS and IDS,thanks Eric McCarty (Nov 16)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- RE: need your help about IPS and IDS,thanks Andy Cuff (Nov 18)
- RE: need your help about IPS and IDS,thanks Chris Petersen (Nov 19)
- RE: need your help about IPS and IDS,thanks Stuart Staniford (Nov 22)
- RE: need your help about IPS and IDS,thanks Omar Herrera (Nov 23)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- Re: need your help about IPS and IDS,thanks Lily (Nov 17)
- Message not available
- need your help about IPS and IDS,thanks Zhuowei Li (Nov 19)