Snort mailing list archives
FW: tippingpoint]
From: "Geoff Poer" <gpoer () arizona edu>
Date: Mon, 20 Oct 2003 01:05:33 -0700
Ok... lets break it down some more!
So we start out with a marketing guy from Dell trying to sell something.
Not really anything strange there :)
This post was quickly responded to in a manner that suggests we really have a new buzz-word -- IPS (Intrusion Prevention System) -- that will imminently replace IDS's (Intrusion Detection System):
If you are responding to *MY* postings with the intentions of providing proof that IDS is not dieing you can save your key board the furiousness of your poundings. While that has been a topic of conversation, IDS is an analysis tool that will not be "replaced" by IPS... it will be feeding IPS. Even the sales guys from TippingPoint will tell you that... they are relying on IDS to do the harder work and correlation that they can not do.
"..talking about how useless IDS are.." Yeah. Right. That's why there's so many in use in production environments right now.
I am not saying (and I don't believe anyone else is either) that IDS is useless. However, the statements that articles are being published that do hold that sentiment are not incorrect.
*My* point was addressed to the details of this Brave New Tool(tm) -- the IDS -- as it was presented here:
So we have presented to us these IPS strong points: 1) implement signatures with a low false positive rate
Yup... If you do that on your IDS you are missing a lot of good information. If you do not have the resources or the knowledge level (which most people on this list have) to look at every alert them you can dump the noisy signatures however you can NOT do that on your IPS it will die.
2) detect ancient, well-known signatures
The example I gave was an "ancient" signature. However, the signatures that we run on the box apply to much more recent attacks and vulnerabilities.
And I ask: this makes an IPS better or different than an IDS (aka: snort) how?
Not better... different.
By doing something different *after* the packet is identified as malicious? uh... OK.
Actually, YES! That is exactly the difference. No active response measure (that I know of) will keep the offending packet from getting to the destination. An IPS will.
My real point, perhaps not quickly stated, is that any tool needs to be used with great thought, study, and understanding, and not just because some marketdroid is trying to sell it, nor because it's getting a lot of write-ups in the press.
And finally we agree on something :)
Remember: defense in depth, not defense by marketing.
Yes and an IPS is a great tool to add to that philosophy. Don't replace IDS just add another layer. Geoff ------------------------------------------------------- This SF.net email sponsored by: Enterprise Linux Forum Conference & Expo The Event For Linux Datacenter Solutions & Strategies in The Enterprise Linux in the Boardroom; in the Front Office; & in the Server Room http://www.enterpriselinuxforum.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tippingpoint] Geoff (Oct 16)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Frank Knobbe (Oct 17)
- Re: tippingpoint] Gary Flynn (Oct 17)
- Message not available
- Re: tippingpoint] John Sage (Oct 19)
- Re: tippingpoint] John Sage (Oct 17)
- Re: tippingpoint] Michael Sierchio (Oct 17)
- Re: tippingpoint] Geoff (Oct 17)
- <Possible follow-ups>
- FW: tippingpoint] Geoff Poer (Oct 20)