Re: IDS: Network Intrusion Detection

Jerry Dixon (jerry@jdixon.com)
Tue, 23 Mar 1999 12:14:14 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dug Song: "IDS: Network IDS testing"
Previous message: Dug Song: "Re: IDS: Tracing Nmap -D Scans"
Maybe in reply to: Jerry Dixon Jr: "IDS: Network Intrusion Detection"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

I'll got out to there site and check that out.  I'm in the process of
getting a couple more products in to test and see how they stack up to what
their documentation says their capable of doing.  I looked at the option of
spanning in the switches to a port and placing a probe their but the
obivious problem there is the overhead on the switch and degradation of
performance.  Still looks like an IDS box per broadcast domain as we cannot
impact performance on the wire.

        -Jd


-----Original Message-----
From: Dug Song <dugsong@monkey.org>
To: Jerry Dixon Jr <jerry@jdixon.com>
Cc: ids@uow.edu.au <ids@uow.edu.au>
Date: Monday, March 22, 1999 11:15 PM
Subject: RE: IDS: Network Intrusion Detection


>FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
>IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
>HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
>NOTE: You MUST remove this line from reply messages as it will be filtered.
>SPAM: DO NOT send unsolicted mail to this list.
>USUB: email "unsubscribe ids" to majordomo@uow.edu.au
>---------------------------------------------------------------------------
>
>On Sat, 20 Mar 1999, Jerry Dixon Jr wrote:
>
>> Also I'll post on our findings of the various products we test... It
>> would be great if the NFR product does fit this mold today with the
>> ever increasing fast ethernet topologies out there.
>
>you might be interested in a previous comparative IDS test done by the
>DataComm magazine folks, in which they found NFR to be the only product
>among those tested capable of detecting any attacks on a 40% loaded Fast
>Ethernet segment:
>
> http://www.data.com/lab_tests/intrusion4.html
>
>> By the way does the product detect the signature of NMAP (I know, this
>> one is a tough one to pick out with the randomization that it does)?
>
>NFR isn't an IDS, per se. NFR (the company) has left that part up to its
>resellers (like my employer, Anzen Computing), and to the general public
>(NFR is end-user programmable). see http://www.l0pht.com/NFR/ for sample
>filters, or http://www.anzen.com/cgi-bin/nfrdemo for an online NFR demo.
>
>nmap isn't difficult to detect, if it's fast portscans, TCP fingerprint
>probes, or host sweeps you're looking for. identifying an attacker's real
>src address in a flurry of randomized decoy scans is impossible, though.
>
>-d.
>
>---
>http://www.monkey.org/~dugsong/
>
>

Next message: Dug Song: "IDS: Network IDS testing"
Previous message: Dug Song: "Re: IDS: Tracing Nmap -D Scans"
Maybe in reply to: Jerry Dixon Jr: "IDS: Network Intrusion Detection"