[Snort-users] New Trend: Intrusion Prevention

Erick Mechler emechler at ...7719...
Fri Dec 13 13:15:03 EST 2002


:: I believe it intercepts kernel calls and blocks/passes
:: them, kinda playing middleman.  Not sure though. 
:: Looks neat, but I don't see any silver bullet here
:: either; not unless you want to slap this type of thing
:: on your 500-5000 XP workstations too.

Okena makes one that my team is currently evaulating.  Twig, you're right,
it sits between the application and the OS level and looks at all system
calls that the applications are making.  Benefits of sitting this low: you
can have extremely fine-grained control over what an application is allowed
to use/modify/read/etc.; you can analyze encrypted data since the
application has already decrypted it.  Drawbacks: it takes a *lot* of setup
time to figure out exactly what certain applications need.

  http://www.okena.com/areas/products/products_stormwatch.html

Niels Provos also wrote something similar for UNIX, called systrace.

  http://www.citi.umich.edu/u/provos/systrace/

I'm not sure this is what Paul Sheahan was referring to when he was talking
about Intrusion Prevention, though, seeing as this is a host-based
solution.  There are network-based Intrusion Prevention solutions, but in
my opinion they're really not practial due to the fact that you need an
extremely high degree of accuracy (as Bob already mentioned).

Cheers - Erick




More information about the Snort-users mailing list