IDS: Network IDS testing

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Michael G. Reed: "Re: Intro (was: Re: IDS: please try give appropriate subject names)"
• Previous message: Jerry Dixon: "Re: IDS: Network Intrusion Detection"
• In reply to: John Mayer: "Re: IDS: RE: Network Intrusion Detection"

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------

On Mon, 22 Mar 1999, John Mayer wrote:

> ODS Networks and ISS has been do this for a year, (by the way it also
> provides a FDDI and ATM IDS monitoring) and has a good track record with
> customers.

FDDI and ATM, at what speeds? doing IP fragment and TCP stream reassembly?
with what false negative rate?

i'm curious to know what IDS products have actually been tested with
anti-IDS tools like the congestant software in Phrack #54, or have been
tested against real network traffic (as opposed to artificially generated
byte streams). i've seen the IBM zurich paper on IDS testing methodology -
are there any other pointers out there to work in this area?

this is interesting because most IDS products 

   a. don't have OS modifications to support high-speed sniffing
   b. don't bother to reconstruct a coherent view of the network stream
   c. don't have heuristics to deal with evasion techniques

NFR does. any others?

-d.

---
http://www.monkey.org/~dugsong/

• Next message: Michael G. Reed: "Re: Intro (was: Re: IDS: please try give appropriate subject names)"
• Previous message: Jerry Dixon: "Re: IDS: Network Intrusion Detection"
• In reply to: John Mayer: "Re: IDS: RE: Network Intrusion Detection"