Re[2]: IDS: Network Intrusion Detection
Mark Curphey (Mark.Curphey@ing-barings.com)
Wed, 24 Feb 1999 08:50:24 +0000
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
Spanning the switch port works well (I have done this on Cisco Cat 1900's) in
the past. On a loaded segment the switch worked just fine. There are other ways
and in my experience all vendors will get a techie into plan it for you or at
least talk about the options.
I have used RealSecure on a very loaded FDDI ring (70% permanatly) and the only
problem was the PC being able to keep up. ISS say they can match about 20,000
packets a sec now, and have coded a seemingly smart packet droppping algorithm
that will drop packets by rules and not just by queue position. NT boxes just
dont have the grunt (fell over) but when I switched to a Sparc had no problems.
In my personal opinion the CISCO stuff is fundamntally flawed. It is a black box
that is hardly configurable. Any real IDS will need to be moulded to the
network. How many comms teams have written ICMP sweep scripts in shellscrip or a
batch file. Unless you can turn checks on and off or modify parameters they will
often show as smurf's !!
NFR looks great and the concept of being able to write sigs etc is excellent.
Whhat a pedigree. Trouble is in the real world how many people have time to code
the couple of hunderd attack sigs we need? Nice toy and if I had nothing else to
do......
______________________________ Reply Separator _________________________________
Subject: Re: IDS: Network Intrusion Detection
Author: Jerry Dixon <jerry@jdixon.com> at JInternet
Date: 23/03/1999 12:14
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
I'll got out to there site and check that out. I'm in the process of
getting a couple more products in to test and see how they stack up to what
their documentation says their capable of doing. I looked at the option of
spanning in the switches to a port and placing a probe their but the
obivious problem there is the overhead on the switch and degradation of
performance. Still looks like an IDS box per broadcast domain as we cannot
impact performance on the wire.
-Jd
-----Original Message-----
From: Dug Song <dugsong@monkey.org>
To: Jerry Dixon Jr <jerry@jdixon.com>
Cc: ids@uow.edu.au <ids@uow.edu.au>
Date: Monday, March 22, 1999 11:15 PM
Subject: RE: IDS: Network Intrusion Detection
>FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
>IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
>HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
>NOTE: You MUST remove this line from reply messages as it will be filtered.
>SPAM: DO NOT send unsolicted mail to this list.
>USUB: email "unsubscribe ids" to majordomo@uow.edu.au
>---------------------------------------------------------------------------
>
>On Sat, 20 Mar 1999, Jerry Dixon Jr wrote:
>
>> Also I'll post on our findings of the various products we test... It
>> would be great if the NFR product does fit this mold today with the
>> ever increasing fast ethernet topologies out there.
>
>you might be interested in a previous comparative IDS test done by the
>DataComm magazine folks, in which they found NFR to be the only product
>among those tested capable of detecting any attacks on a 40% loaded Fast
>Ethernet segment:
>
> http://www.data.com/lab_tests/intrusion4.html
>
>> By the way does the product detect the signature of NMAP (I know, this
>> one is a tough one to pick out with the randomization that it does)?
>
>NFR isn't an IDS, per se. NFR (the company) has left that part up to its
>resellers (like my employer, Anzen Computing), and to the general public
>(NFR is end-user programmable). see http://www.l0pht.com/NFR/ for sample
>filters, or http://www.anzen.com/cgi-bin/nfrdemo for an online NFR demo.
>
>nmap isn't difficult to detect, if it's fast portscans, TCP fingerprint
>probes, or host sweeps you're looking for. identifying an attacker's real
>src address in a flurry of randomized decoy scans is impossible, though.
>
>-d.
>
>---
>http://www.monkey.org/~dugsong/
>
>
------------------------------------------------------------------------------
The information in this Internet email is confidential and may be
legally privileged. It is intended solely for the addressee. Access
to this Internet email by anyone else is unauthorised.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING Barings' terms of business or
client engagement letter.
------------------------------------------------------------------------------