[Snort-users] Re: [Snort-devel] IDS vs IPS
bwalder at ...1926...
Fri Aug 22 14:40:32 EDT 2003
I would also like to say that your definition of Snortsam is also spot
on to my mind - an Intrusion Reaction System or Intrusion Containment
System sounds about right! ;o)
See... Who needs marketing guys?
>> -----Original Message-----
>> From: snort-devel-admin at lists.sourceforge.net
>> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf
>> Of Frank Knobbe
>> Sent: 22 August 2003 17:15
>> To: snort-devel at lists.sourceforge.net;
>> snort-users at lists.sourceforge.net
>> Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
>> On Fri, 2003-08-22 at 08:35, Bob Walder wrote:
>> > My 0.02 worth is that a Network IPS (NIPS) is a device with two
>> > interfaces that operates in-line to detect suspicious traffic and
>> > INSTANTLY discard the offending packet and the rest of the
>> > flow.
>> Yup, I go with that. I actually like to refer to Snortsam as
>> an Intrusion Reaction System, but IRS seems to have a
>> negative ring to it
>> :) How about Intrusion Containment Systems? ICS? Yeah, that's it.
>> However, my arm has been twisted to call it an IPS. Yes, it
>> doesn't prevent the first packet from intruding (say a
>> packet to tcp/135), but once detected, it will prevent
>> further communication with the intruder, thus preventing him
>> from doing further damage (i.e. shell commands). Depending
>> on the signature you could also contain the target. Where
>> Snortsam shines is the ability to contain that source/target
>> on all you firewalls. So if a server in the DMZ gets
>> infected with Blaster, you could have Snortsam reconfigure
>> your DMZ firewall. If a laptop of a vendor is detected
>> spitting out Blaster, you could have all your firewalls be
>> configured to isolate that laptop from the rest of your enterprise.
>> Snortsam lacks the store'n'forward approach of the normal
>> IPS's (as you just defined). But those are only single
>> enforcement points. Snortsam can interact with multiple
>> enforcement points. (i.e. if someone attempts an exploit on
>> a server in London, you could have him blocked on your
>> firewalls in London, New York, L.A., Madrid, Tokyo, etc).
>> Anyhow, just wanted to say that your definition of an IPS
>> was right on.
More information about the Snort-users