Snort mailing list archives
Re: New Trend: Intrusion Prevention
From: Erick Mechler <emechler () techometer net>
Date: Fri, 13 Dec 2002 13:14:07 -0800
:: I believe it intercepts kernel calls and blocks/passes :: them, kinda playing middleman. Not sure though. :: Looks neat, but I don't see any silver bullet here :: either; not unless you want to slap this type of thing :: on your 500-5000 XP workstations too. Okena makes one that my team is currently evaulating. Twig, you're right, it sits between the application and the OS level and looks at all system calls that the applications are making. Benefits of sitting this low: you can have extremely fine-grained control over what an application is allowed to use/modify/read/etc.; you can analyze encrypted data since the application has already decrypted it. Drawbacks: it takes a *lot* of setup time to figure out exactly what certain applications need. http://www.okena.com/areas/products/products_stormwatch.html Niels Provos also wrote something similar for UNIX, called systrace. http://www.citi.umich.edu/u/provos/systrace/ I'm not sure this is what Paul Sheahan was referring to when he was talking about Intrusion Prevention, though, seeing as this is a host-based solution. There are network-based Intrusion Prevention solutions, but in my opinion they're really not practial due to the fact that you need an extremely high degree of accuracy (as Bob already mentioned). Cheers - Erick ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: New Trend: Intrusion Prevention, (continued)
- Re: New Trend: Intrusion Prevention Martin Roesch (Dec 13)
- RE: New Trend: Intrusion Prevention Ofir Arkin (Dec 14)
- Re: New Trend: Intrusion Prevention Kevin Black (Dec 15)
- Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
- Re: New Trend: Intrusion Prevention Kevin Black (Dec 15)
- Re: New Trend: Intrusion Prevention Frank Knobbe (Dec 15)
- RE: New Trend: Intrusion Prevention Ofir Arkin (Dec 14)
- Re: New Trend: Intrusion Prevention Martin Roesch (Dec 13)
- RE: New Trend: Intrusion Prevention Nathan Whitehouse (Dec 13)
- RE: New Trend: Intrusion Prevention twig les (Dec 13)
- Re: New Trend: Intrusion Prevention Erick Mechler (Dec 13)
- Re: New Trend: Intrusion Prevention Alberto Gonzalez (Dec 13)