IDS mailing list archives
Re: Ability for SIM to perform tcp stream reassembly
From: jimmy.alderson () gmail com
Date: 27 Sep 2005 14:35:47 -0000
Typically, this level of detection is performed by devices specific to network monitoring. Products in the SIM space typically do not perform actual detection at the network or host layer. Instead, they aggregate, normalize, and correlate detections from other products such as IDS, Firewalls, Logs, etc. The reason why you are finding that vendors don't understand what you mean by TCP stream re-assembly is due to the fact that they just don't work at that level. They will talk to you about Correlation Techniques such as Vulnerability Correlation to highlight IDS events that will actually have an impact, or Statistical Correlation which will highlight assets that are most at risk. In short, SIMs handle events and correlate those events with the overall state of the security posture (if that data is available). I'd take a look at the link that Ron posted and then either use one of those network specific technologies or, as many fine products start out, build your own :-) ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Ability for SIM to perform tcp stream reassembly Thyrymn (Sep 26)
- Re: Ability for SIM to perform tcp stream reassembly Ron Gula (Sep 26)
- Re: Ability for SIM to perform tcp stream reassembly Merik Karman (Sep 29)
- Re: Ability for SIM to perform tcp stream reassembly Bamm Visscher (Sep 29)
- <Possible follow-ups>
- Re: Ability for SIM to perform tcp stream reassembly jimmy . alderson (Sep 27)