Snort mailing list archives
RE: Re: [Snort-devel] IDS vs IPS
From: "Bob Walder" <bwalder () spamcop net>
Date: Fri, 22 Aug 2003 17:18:09 +0200
Thanks Frank I would also like to say that your definition of Snortsam is also spot on to my mind - an Intrusion Reaction System or Intrusion Containment System sounds about right! ;o) See... Who needs marketing guys? Regards, Bob Walder
-----Original Message----- From: snort-devel-admin () lists sourceforge net [mailto:snort-devel-admin () lists sourceforge net] On Behalf Of Frank Knobbe Sent: 22 August 2003 17:15 To: snort-devel () lists sourceforge net; snort-users () lists sourceforge net Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS On Fri, 2003-08-22 at 08:35, Bob Walder wrote:My 0.02 worth is that a Network IPS (NIPS) is a device with two interfaces that operates in-line to detect suspicious traffic and INSTANTLY discard the offending packet and the rest of thesuspiciousflow.Yup, I go with that. I actually like to refer to Snortsam as an Intrusion Reaction System, but IRS seems to have a negative ring to it :) How about Intrusion Containment Systems? ICS? Yeah, that's it. However, my arm has been twisted to call it an IPS. Yes, it doesn't prevent the first packet from intruding (say a packet to tcp/135), but once detected, it will prevent further communication with the intruder, thus preventing him from doing further damage (i.e. shell commands). Depending on the signature you could also contain the target. Where Snortsam shines is the ability to contain that source/target on all you firewalls. So if a server in the DMZ gets infected with Blaster, you could have Snortsam reconfigure your DMZ firewall. If a laptop of a vendor is detected spitting out Blaster, you could have all your firewalls be configured to isolate that laptop from the rest of your enterprise. Snortsam lacks the store'n'forward approach of the normal IPS's (as you just defined). But those are only single enforcement points. Snortsam can interact with multiple enforcement points. (i.e. if someone attempts an exploit on a server in London, you could have him blocked on your firewalls in London, New York, L.A., Madrid, Tokyo, etc). Anyhow, just wanted to say that your definition of an IPS was right on. Cheers, Frank
------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Re: [Snort-devel] IDS vs IPS, (continued)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Jeff (Aug 27)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Sep 01)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)
- Re: Re: [Snort-devel] IDS vs IPS Gary Flynn (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Mark Teicher (Sep 02)
- Re: Re: [Snort-devel] IDS vs IPS Frank Knobbe (Sep 02)
- RE: Re: [Snort-devel] IDS vs IPS Gordon Cunningham (Aug 28)
- Re: Re: [Snort-devel] IDS vs IPS Jason (Aug 28)
- RE: Re: [Snort-devel] IDS vs IPS Georges J. Jahchan, Eng. (Aug 29)
- Re: [Snort-devel] IDS vs IPS Jeff Nathan (Aug 30)