RE: Re: [Snort-devel] IDS vs IPS

["Bob Walder" <bwalder () spamcop net>]

Thanks Frank

I would also like to say that your definition of Snortsam is also spot
on to my mind - an Intrusion Reaction System or Intrusion Containment
System sounds about right!  ;o)

See... Who needs marketing guys?

Regards,

Bob Walder




> > -----Original Message-----
> > From: snort-devel-admin () lists sourceforge net 
> > [mailto:snort-devel-admin () lists sourceforge net] On Behalf 
> > Of Frank Knobbe
> > Sent: 22 August 2003 17:15
> > To: snort-devel () lists sourceforge net; 
> > snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
> >
> >
> > On Fri, 2003-08-22 at 08:35, Bob Walder wrote:
> > > My 0.02 worth is that a Network IPS (NIPS) is a device with two 
> > > interfaces that operates in-line to detect suspicious traffic and 
> > > INSTANTLY discard the offending packet and the rest of the 
> > suspicious 
> > > flow.
> >
> > Yup, I go with that. I actually like to refer to Snortsam as 
> > an Intrusion Reaction System, but IRS seems to have a 
> > negative ring to it
> > :)  How about Intrusion Containment Systems? ICS? Yeah, that's it.
> >
> > However, my arm has been twisted to call it an IPS. Yes, it 
> > doesn't prevent the first packet from intruding (say a 
> > packet to tcp/135), but once detected, it will prevent 
> > further communication with the intruder, thus preventing him 
> > from doing further damage (i.e. shell commands). Depending 
> > on the signature you could also contain the target. Where 
> > Snortsam shines is the ability to contain that source/target 
> > on all you firewalls. So if a server in the DMZ gets 
> > infected with Blaster, you could have Snortsam reconfigure 
> > your DMZ firewall. If a laptop of a vendor is detected 
> > spitting out Blaster, you could have all your firewalls be 
> > configured to isolate that laptop from the rest of your enterprise.
> >
> > Snortsam lacks the store'n'forward approach of the normal 
> > IPS's (as you just defined). But those are only single 
> > enforcement points. Snortsam can interact with multiple 
> > enforcement points. (i.e. if someone attempts an exploit on 
> > a server in London, you could have him blocked on your 
> > firewalls in London, New York, L.A., Madrid, Tokyo, etc).
> >
> > Anyhow, just wanted to say that your definition of an IPS 
> > was right on.
> >
> > Cheers,
> > Frank




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines
at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users