IDS mailing list archives

RE: amount of alarms generated by IDS

From: "Rob Shein" <shoten () starpower net>
Date: Tue, 11 May 2004 13:37:16 -0400

Simple.  An inline IDS is one that sits inline, and thus doesn't have to
listen promiscuously.  There are a few situations where you might want this.
The reason why there are two separate terms..."inline IDS" and "IPS"...is
because they are two separate things.

-----Original Message-----
From: Ravishankar Ithal [mailto:ravi_ithal () yahoo com] 
Sent: Tuesday, May 11, 2004 1:14 PM
To: Rob Shein; 'Bhargav Bhikkaji'; focus-ids () securityfocus com
Subject: RE: amount of alarms generated by IDS



--- Rob Shein <shoten () starpower net> wrote:

I'm a bit confused here.  You're talking about inline IDS and IPS.  
Are you using the terms interchangably?  If so, you're mistaken; 
putting an IDS inline does not make it an IPS.  And an IDS inline 
shouldn't be dropping packets.


If an IDS doesn't have the ability to drop packets, why would 
you call it "inline"? Note that sitting in the packet path or 
as an offline box doesn't make any difference in the amount 
and kind of traffic that the box can actually see, what with 
spanning on switches. I _am_ using the two terms 
interchangably, simply because IPSs of today are nothing but 
IDSs of yesterday with an ability to drop malicious looking packets.

I could see how the signatures could be tuned differently

due to the

fact that it is able to ensure that it sees everything, and

that could

generate fewer FPs, but aside from that I doubt there would be any 
difference.  Keep in mind that an inline IDS does not (normally) do 
anything to bad traffic, while an IPS takes an active role in 
munging/blocking/denying such.





      
              
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover



---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

Re: amount of alarms generated by IDS Alberto Gonzalez (May 03)
- <Possible follow-ups>
- Re: amount of alarms generated by IDS Anton A. Chuvakin (May 05)
  - Re: amount of alarms generated by IDS Jason Haar (May 06)
  - RE: amount of alarms generated by IDS Shawn (May 06)
    - RE: amount of alarms generated by IDS Ravishankar Ithal (May 07)
- RE: amount of alarms generated by IDS Harper, Patrick (May 06)
- Re: amount of alarms generated by IDS Bhargav Bhikkaji (May 10)
  - Re: amount of alarms generated by IDS Ravishankar Ithal (May 10)
    - RE: amount of alarms generated by IDS Rob Shein (May 11)
    - RE: amount of alarms generated by IDS Ravishankar Ithal (May 12)
    - RE: amount of alarms generated by IDS Rob Shein (May 11)
    - Re: amount of alarms generated by IDS Jason (May 11)
    - Re: amount of alarms generated by IDS Dennis Cox (May 11)
    - Re: amount of alarms generated by IDS Jason (May 13)
    - RE: amount of alarms generated by IDS Frank Knobbe (May 11)
    - Hi, I want to study IPS cto (May 11)
    - RE: Hi, I want to study IPS Shawn (May 13)
  - Re: amount of alarms generated by IDS Andy Cuff (May 11)
- RE: amount of alarms generated by IDS Runion Mark A FGA DOIM WEBMASTER(ctr) (May 11)
- RE: amount of alarms generated by IDS Wozny, Scott (US - New York) (May 13)
  - Re: amount of alarms generated by IDS nick black (May 14)

(Thread continues...)