Re: New Trend: Intrusion Prevention

[Erick Mechler <emechler () techometer net>]

:: I believe it intercepts kernel calls and blocks/passes
:: them, kinda playing middleman.  Not sure though. 
:: Looks neat, but I don't see any silver bullet here
:: either; not unless you want to slap this type of thing
:: on your 500-5000 XP workstations too.

Okena makes one that my team is currently evaulating.  Twig, you're right,
it sits between the application and the OS level and looks at all system
calls that the applications are making.  Benefits of sitting this low: you
can have extremely fine-grained control over what an application is allowed
to use/modify/read/etc.; you can analyze encrypted data since the
application has already decrypted it.  Drawbacks: it takes a *lot* of setup
time to figure out exactly what certain applications need.

  http://www.okena.com/areas/products/products_stormwatch.html

Niels Provos also wrote something similar for UNIX, called systrace.

  http://www.citi.umich.edu/u/provos/systrace/

I'm not sure this is what Paul Sheahan was referring to when he was talking
about Intrusion Prevention, though, seeing as this is a host-based
solution.  There are network-based Intrusion Prevention solutions, but in
my opinion they're really not practial due to the fact that you need an
extremely high degree of accuracy (as Bob already mentioned).

Cheers - Erick


-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users