RE: IDS evaluations procedures

[Frank Knobbe <frank () knobbe us>]

On Sat, 2005-07-16 at 12:42 -0400, Nathan Davidson wrote:
> To make things easier to compare let us say that the IPS and IDS have
> the SAME signatures/policy and they both identify all of the malicious
> traffic:
>  
> The IPS will create 10 alerts/sec
> The IDS will create 100 alerts/sec

Uhm... then the IDS is not configured properly.

IPSes seem to filter proactively, that means based on assumptions. It
assumes that your server is vulnerable against xyz and blocks it. But
the server doesn't have to be vulnerable.

You can deploy an IDS as an ADS, that is, Attack Detection System. As
such it would alert on every xyz packet that look suspicious and which
the IDS thinks may cause harm to your server.

But you can also deploy an IDS as an ...well... Intrusion Detection
System. Configured like that, it doesn't make assumptions and doesn't
care if it sees xyz hitting the server. It cares what the server
responds with to xyz. If it detects an abnormal response, or outright
hostile traffic (i.e. signature of a botnet c&c channel join), then it
issues an alert, and only then.

Given that, the math is as follows:

ADS: 100 alerts /sec
IPS: 10 alerts /sec
IDS: 1 alert /incident

I think the IDS has a much higher security ROI (oops, I said the evil
word) than an IPS.

The IPS is a broad-sword. The IDS, properly deploy and managed, is a
sensitive detector, not a noisy alarm bell. It doesn't alert on every
thrust of a sword, it only alerts when you bleed.

Regards,
Frank

PS: I sometimes wonder if the I-have-more-alerts-than-you-stick-waving
in the IDS market contributed to the misuse of IDS systems....

Attachment: signature.asc
Description: This is a digitally signed message part