mouss wrote:
> Moreover, I doubt that ISS and NAI use your technology (At the best
> of my knowledge, Cisco and Axent do not provide IDS solutions. but
> I'm ready to be corrected if I get it wrong).
>From a quick trip to their web sites:
Axent NetProwler (Network based IDS) and Intruder Alert (Host based IDS)
http://www.axent.com/Axent/Public/Main?nav=Products
Cisco Secure IDS (formerly NetRanger):
http://www.cisco.com/warp/public/cc/cisco/mkt/security/nranger/
> I tend to believe that most current commercial IDS systems are more
> advanced in marketing than in "technical technology".
I also tend to believe that most of the checks in most IDS (both commercial
and non-commercial) today rely heavily on plain old pattern-matching
(as opposed to the much more sophisticated -- but much slower and compute
intensive -- methods cited). Some of them do have fairly powerful
heuristic engines so that they can analyse patterns spanning multiple
packets for stateful behaviour (e.g. used in modules to detect port-scanning)
but I would tend to believe that they don't do as much of it as they could
because they need to keep up with network traffic in real-time.
Note that the non-commercial 'snort' primarily looks for sequences of bytes
or patterns within the packet being inspected. It has some more dynamic
heuristic modules for more advanced inspection.
I suppose some IDSes could be tasked to re-scan some flagged packets in
non-real-time in a separate process (e.g. on a separate machine from
the initial collector/scanner/early-alert processes) and use the luxury
of more time to perform extensive heavy statistical analysis on them.
- H. Morrow Long
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
