OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: a novice question. -reply
From: Mark.Teicherpredictive.com
Date: Tue Mar 28 2000 - 10:19:51 CST

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
Let's go over this again, using two StrongARM RISC processor with 32 Megs
of memory, can handle the disk I/O in milliseconds, so disk thrashing will
not be a problem and neither will it have a problem with keeping up the
amount of traffic. If you build a small embedded O/S that is smaller than
1 meg. The O/S is then optimimzed for the IDS application, no GUI
overhead since the GUI console communicates with the sensor via an
encrypted channel. So therefore, the policy is set by the console zapped
into the detector, the detector handles the policy pattern matching and
then passes what it may think is a problem back to the console on the
other channel and do whatever it was setup to do. The overhead is not on
the detectors per se, the Console is architected and programmed correctly,
could multi-thread the reporting module with the display therefore
eliminating some of the problems in using dynamic filter sets. This is
the type of architecture for an IDS that can scale and handle more than
1000 signatures.

The problem with the some of the current O/Ses that IDS systems rely on
operating systems are delivered by those people in Redmond. The operating
system source code alone is riddled with hole people have not even
discovered yet. Why would you trust an IDS system on that type of
operating system? The ideal IDS system would use a freely available O/S
that is stripped of the normal crud that is usually packaged with it or
roll your own type of O/S ala something similiar to Livingston ComOS. Less
than a megabyte and can handle lots of concurrent connections.

Hmm, something old, something new..

Nuff said..

/,m

Stuart Staniford-Chen <stuartSiliconDefense.com>
Sent by: owner-idsuow.edu.au
03/27/00 04:16 AM

 
        To: Mark.Teicherpredictive.com
        cc: CrumrineGLstate.gov, idsuow.edu.au, Matthew.Brownpredictive.com,
raj2569yahoo.com, robert_david_grahamyahoo.com,
Valerie.Blanchardpredictive.com
        Subject: Re: IDS: a novice question. -reply

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------

Mark.Teicherpredictive.com wrote:

> The problem is that with a large policy or rule set so to speak, the
rule
> set is loaded into memory causing the hardware you are working to be
> pegged at 100% Memory and CPU usage. This is the case on most
platforms,
> some CPU usage may differ among the operating system selected for the
IDS

I don't think you have this part quite right. AFAIK IDS's ship with a
few hundred to a few thousand signatures at most. Figure 100-1000 bytes
per signature in memory, and we're talking a few MB to store the data
structures at most. Memory for signatures shouldn't be a serious
concern. (Memory for connection state obviously is, but that's a
different issue). And if the IDS is having trouble keeping up speed
wise, having to load in things off disk is going to make it a whole lot
worse, not better.

The only situation where I can imagine it making sense to keep
signatures on disk and pull them into memory on demand is if you have
massive numbers of custom signatures (like hundreds of thousands) which
are rarely used. I haven't heard of an IDS like that - but maybe you
have? Even then, it would almost certainly be better to let the OS
virtual memory system take care of it rather than coding the IDS to do
the management itself.

> system. There needs to some AI built-into this pattern matching schema,
> but that is not that tough to do.

Well - actually I think it is tough to do well :-). But us PhD geeks
are trying.

Stuart. 

--
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuartsilicondefense.com
(707) 822-4588                     (707) 826-7571 (FAX)