|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: RE: IDS: Misconception: app aware NIDS
From: rob (robert_david_graham
yahoo.com)Date: Sat Sep 30 2000 - 23:33:27 CDT
- Next message: Keiji Takeda: "Re: IDS: PAKEMON IDS signatures"
- Previous message: Keiji Takeda: "Re: IDS: Misconception: app aware NIDS"
- In reply to: Keiji Takeda: "Re: IDS: Misconception: app aware NIDS"
- Reply: rob: "RE: IDS: Misconception: app aware NIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
>From: Keiji Takeda [mailto:keijisfc.keio.ac.jp]
>In my understanding, all IDSs distinguish difference of port numbers.
>So, no IDS does not try to match HTTP signatures on to RPC communications.
I'm sorry, you are right. Most NIDS generally pay attention to port numbers,
and would not get the two in conflict.
It's just that BlackICE often DOESN'T know about port numbers. E.g. the HTTP
parser runs on all ports all the time. Likewise, the RPC parser runs on all
ports all the time. They have to fight with each other in order to determine
who gets to analyze the port.
>If we want to have very accurate IDS it need to understand state of
> communications, need to recognize semantics as Marcus explained before.
>
>If I'm not wrong, I would like to know if BlackICE products
>understand semantics of each protocl.
In a big way. Both the desktop and packet-sniffing variants of BlackICE are
based upon extensive protocol decoding, which means that they understand the
semantics of each protocol. In fact, it cannot grep for a pattern within a
packet like Snort. There is no general signature database; instead, you must
specify signatures in a format that is understood by each protocol parser.
Each protocol has its own format.
Rob.
_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com
- Next message: Keiji Takeda: "Re: IDS: PAKEMON IDS signatures"
- Previous message: Keiji Takeda: "Re: IDS: Misconception: app aware NIDS"
- In reply to: Keiji Takeda: "Re: IDS: Misconception: app aware NIDS"
- Reply: rob: "RE: IDS: Misconception: app aware NIDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]