OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: IDS Comparison
From: Robert Graham (robert_david_grahamyahoo.com)
Date: Sat Mar 04 2000 - 19:16:36 CST

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--------------------------------------------------------------------------- 

---
--- Jackie Chan <blue0neigloo.org> wrote:
> Robert,
> 	You give the impression that Realsecure wont even alert you to
> what is going on when an attacker (Why must we still call them hackers
> when we know this is wrong) uses fragrouter.  The truth is that
> RealSecure WILL alert that Fragmented packets are going through, from
> what source, and to what destination.  It is true that it will not tell
> you specifically what the attack was, but lets not confuse users into
> beliving that they will have no idea as to what is happening.  Oh and by
> the way, I dont work for a vendor, so my opinion is totally unbiased.

This is my point: RealSecure does very little protocol analysis. It doesn't
truely understand the protocols going through the box, but instead just looks
for a few patterns in the frames.

It can see that packets are fragmented, but it doesn't know why. It doesn't
really know why anything happens. Packets are fragmented for other reasons.
This leads to the problem of false positives. I've heard over and over that
RealSecure collapses under the load of false positives. I've even had customers
call us worrying that BlackICE wasn't working because they plugged in our box
next to RealSecure and it was going off like mad, but BlackICE wasn't
triggering anything. This was because there was no intrusion to detect. As soon
as they started doing test intrusions, BlackICE caught them.

In contrast, BlackICE does full 7-layer stateful protocol analysis. When it
triggers an alert, it does so from a fairly complete understanding of the
protocol operations. There are still false positives, but dramatically fewer.

My point is, and I'm sure that RealSecure is a toy. It isn't a serious IDS like
Dragon/NFR/BlackICE. It is certainly polished UI and has lots of marketing
behind it, but it isn't very sophisticated. But which would you rather have: a
polished UI on a system that doesn't detect intrusions well, or a system that
catches hackers?

Rob.
Network ICE

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com