[Snort-users] Re: [Snort-devel] IDS vs IPS

Bob Walder bwalder at ...1926...
Fri Aug 22 14:40:32 EDT 2003


Thanks Frank

I would also like to say that your definition of Snortsam is also spot
on to my mind - an Intrusion Reaction System or Intrusion Containment
System sounds about right!  ;o)

See... Who needs marketing guys?

Regards,

Bob Walder




>> -----Original Message-----
>> From: snort-devel-admin at lists.sourceforge.net 
>> [mailto:snort-devel-admin at lists.sourceforge.net] On Behalf 
>> Of Frank Knobbe
>> Sent: 22 August 2003 17:15
>> To: snort-devel at lists.sourceforge.net; 
>> snort-users at lists.sourceforge.net
>> Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
>> 
>> 
>> On Fri, 2003-08-22 at 08:35, Bob Walder wrote:
>> > My 0.02 worth is that a Network IPS (NIPS) is a device with two 
>> > interfaces that operates in-line to detect suspicious traffic and 
>> > INSTANTLY discard the offending packet and the rest of the 
>> suspicious 
>> > flow.
>> 
>> Yup, I go with that. I actually like to refer to Snortsam as 
>> an Intrusion Reaction System, but IRS seems to have a 
>> negative ring to it
>> :)  How about Intrusion Containment Systems? ICS? Yeah, that's it.
>> 
>> However, my arm has been twisted to call it an IPS. Yes, it 
>> doesn't prevent the first packet from intruding (say a 
>> packet to tcp/135), but once detected, it will prevent 
>> further communication with the intruder, thus preventing him 
>> from doing further damage (i.e. shell commands). Depending 
>> on the signature you could also contain the target. Where 
>> Snortsam shines is the ability to contain that source/target 
>> on all you firewalls. So if a server in the DMZ gets 
>> infected with Blaster, you could have Snortsam reconfigure 
>> your DMZ firewall. If a laptop of a vendor is detected 
>> spitting out Blaster, you could have all your firewalls be 
>> configured to isolate that laptop from the rest of your enterprise.
>> 
>> Snortsam lacks the store'n'forward approach of the normal 
>> IPS's (as you just defined). But those are only single 
>> enforcement points. Snortsam can interact with multiple 
>> enforcement points. (i.e. if someone attempts an exploit on 
>> a server in London, you could have him blocked on your 
>> firewalls in London, New York, L.A., Madrid, Tokyo, etc).
>> 
>> Anyhow, just wanted to say that your definition of an IPS 
>> was right on.
>> 
>> Cheers,
>> Frank
>> 
>> 






More information about the Snort-users mailing list