Typically, this level of detection is performed by devices specific to network monitoring. Products in the SIM space typically do not perform actual detection at the network or host layer. Instead, they aggregate, normalize, and correlate detections from other products such as IDS, Firewalls, Logs, etc.
The reason why you are finding that vendors don't understand what you mean by TCP stream re-assembly is due to the fact that they just don't work at that level. They will talk to you about Correlation Techniques such as Vulnerability Correlation to highlight IDS events that will actually have an impact, or Statistical Correlation which will highlight assets that are most at risk. In short, SIMs handle events and correlate those events with the overall state of the security posture (if that data is available). I'd take a look at the link that Ron posted and then either use one of those network specific technologies or, as many fine products start out, build your own :-) ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
