|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: IDS: a novice question. -reply
From: Stuart Staniford-Chen (stuart
SiliconDefense.com)Date: Mon Mar 27 2000 - 06:16:59 CST
- Next message: Matt Baney: "Re: IDS: Good source of intrusion detection and response steps?"
- Previous message: Amy: "Re: IDS: Intruder Alert"
- Next in thread: Mark.Teicherpredictive.com: "Re: IDS: a novice question. -reply"
- Next in thread: Mark.Teicherpredictive.com: "Re: IDS: a novice question. -reply"
- Maybe reply: Stuart Staniford-Chen: "Re: IDS: a novice question. -reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Mark.Teicherpredictive.com wrote:
> The problem is that with a large policy or rule set so to speak, the rule
> set is loaded into memory causing the hardware you are working to be
> pegged at 100% Memory and CPU usage. This is the case on most platforms,
> some CPU usage may differ among the operating system selected for the IDS
I don't think you have this part quite right. AFAIK IDS's ship with a
few hundred to a few thousand signatures at most. Figure 100-1000 bytes
per signature in memory, and we're talking a few MB to store the data
structures at most. Memory for signatures shouldn't be a serious
concern. (Memory for connection state obviously is, but that's a
different issue). And if the IDS is having trouble keeping up speed
wise, having to load in things off disk is going to make it a whole lot
worse, not better.
The only situation where I can imagine it making sense to keep
signatures on disk and pull them into memory on demand is if you have
massive numbers of custom signatures (like hundreds of thousands) which
are rarely used. I haven't heard of an IDS like that - but maybe you
have? Even then, it would almost certainly be better to let the OS
virtual memory system take care of it rather than coding the IDS to do
the management itself.
> system. There needs to some AI built-into this pattern matching schema,
> but that is not that tough to do.
Well - actually I think it is tough to do well :-). But us PhD geeks
are trying.
Stuart.
--
Stuart Staniford-Chen --- President --- Silicon Defense
stuartsilicondefense.com
(707) 822-4588 (707) 826-7571 (FAX)
- Next message: Matt Baney: "Re: IDS: Good source of intrusion detection and response steps?"
- Previous message: Amy: "Re: IDS: Intruder Alert"
- Next in thread: Mark.Teicherpredictive.com: "Re: IDS: a novice question. -reply"
- Next in thread: Mark.Teicherpredictive.com: "Re: IDS: a novice question. -reply"
- Maybe reply: Stuart Staniford-Chen: "Re: IDS: a novice question. -reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]