Snort mailing list archives
RE: Re: [Snort-devel] IDS vs IPS
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 22 Aug 2003 10:14:39 -0500
On Fri, 2003-08-22 at 08:35, Bob Walder wrote:
My 0.02 worth is that a Network IPS (NIPS) is a device with two interfaces that operates in-line to detect suspicious traffic and INSTANTLY discard the offending packet and the rest of the suspicious flow.
Yup, I go with that. I actually like to refer to Snortsam as an Intrusion Reaction System, but IRS seems to have a negative ring to it :) How about Intrusion Containment Systems? ICS? Yeah, that's it. However, my arm has been twisted to call it an IPS. Yes, it doesn't prevent the first packet from intruding (say a packet to tcp/135), but once detected, it will prevent further communication with the intruder, thus preventing him from doing further damage (i.e. shell commands). Depending on the signature you could also contain the target. Where Snortsam shines is the ability to contain that source/target on all you firewalls. So if a server in the DMZ gets infected with Blaster, you could have Snortsam reconfigure your DMZ firewall. If a laptop of a vendor is detected spitting out Blaster, you could have all your firewalls be configured to isolate that laptop from the rest of your enterprise. Snortsam lacks the store'n'forward approach of the normal IPS's (as you just defined). But those are only single enforcement points. Snortsam can interact with multiple enforcement points. (i.e. if someone attempts an exploit on a server in London, you could have him blocked on your firewalls in London, New York, L.A., Madrid, Tokyo, etc). Anyhow, just wanted to say that your definition of an IPS was right on. Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 22)
- <Possible follow-ups>
- RE: [Snort-devel] IDS vs IPS Robert Wagner (Aug 22)
- RE: RE: [Snort-devel] IDS vs IPS Tom Van Overbeke (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 22)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Stevo (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS twig les (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)