Snort mailing list archives
RE: Re: [Snort-devel] IDS vs IPS
From: "Gordon Cunningham" <gacunningham () bellsouth net>
Date: Wed, 27 Aug 2003 21:46:14 -0400
Black Ice Defender did this a few years ago... based on signatures, the system could detect some attack types and automatically react by preventing access from the source IP or port for some period of time. - Gordon -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Frank Knobbe Sent: Wednesday, August 27, 2003 8:34 PM To: Jason Cc: bwalder () spamcop net; 'Mark Teicher'; 'Jeff Nathan'; Vkmobile () aol com; snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS << File: signature.asc >> On Wed, 2003-08-27 at 18:36, Jason wrote:
Bob Walder wrote:My 0.02 worth is that a Network IPS (NIPS) is a device with two interfaces that operates in-line to detect suspicious traffic and INSTANTLY discard the offending packet and the rest of the suspicious flow.What we have here is a definition of an IPS that matches pretty closely what firewalls have been able to do for some time.
Not quite. There are difference in the way firewalls and intrusion detection systems analyze data. For example, I have not seen a firewall that can identify a CodeRed attempt by name for example. Yeah, you can block HTTP methods and put limiters on URL's etc (you mentioned CP as an example which can do that with HTTP content stuff). But I have not come across a firewall with a 'signature set' like IDS' have them......yet. It is true that most firewalls are under-utilized. However, an IPS (being based on an IDS) has capabilities beyond a firewall. Policy violations (or network flow anomalies) can be detected by firewalls and cause some sort of reaction/enforcement (CP's SAM is one example). However, firewalls don't have statistical anomaly detection like some IDS' do. Let's draft a matrix of capabilities: Metric | Firewall | IDS | IPS ----------------------------------------------------------- Signature | Limited packet | Extensive | See IDS Analysis | inspection | signature sets | | due to lack of | allow wide | | rule set defin.| pattern match | ----------------------------------------------------------- Protocol | Mostly present | Present | Present validation | | | ----------------------------------------------------------- Traffic flow| Present, that's| Present | Present Anomaly Det.| what they do | | Present ----------------------------------------------------------- Statisitcal | Absent | Present | Absent (???) Anomaly Det.| | | (as of today) ----------------------------------------------------------- Packet Log | Logging mostly | capable of | See IDS | high level | logging content| ----------------------------------------------------------- Protocol | Present | Absent | Present normalizat | | | ion | | | =========================================================== Activity | Active | Mostly Passive | Active If someone wants to take this further, feel free. But as you can see, IPS and firewalls are not quite alike (but neither are IPS and IDS! :) Regards, Frank ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 22)
- <Possible follow-ups>
- RE: [Snort-devel] IDS vs IPS Robert Wagner (Aug 22)
- RE: RE: [Snort-devel] IDS vs IPS Tom Van Overbeke (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Bob Walder (Aug 22)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 22)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Stevo (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS twig les (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Jeff (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)