I guess Axent's NetPowler has a kind of Stateful
Inspection Engine, called Stateful Dynamic
SignatureInspection(SDSI). I think It has each
application state information, and detects costomized
attack signature.
Pls, check it out....

Yune Sung

KISA, Seoul Korea
Email: yunenetian.com
> To All,
>
>
> It is my understanding that no current IDS
(including ISS's RealSecure) does
> stateful inspection of the connections on the
network segment being
> monitored. Therefore, it is not necessary to
establish a legitimate TCP
> connection in order for the IDS to register an
attempted attack. Since no
> TCP connection is necessary, could someone with
malicious intent spoof their
> source IP address to be any address on the
Internet, presuming that the site
> that they are launching from has not implemented
egress filtering as
> described in RFC 2267. The target of the attack (or
perhaps an intervening
> firewall or packet filter) will disregard these fake
attack packets because
> they are not part of a legitimate, established TCP
connection. With that
> said the IDS will Log all the Fake Attack
> The IDS will continue to run as normal, registering
a large number of
> attacks. If the attacker simultaneously runs a real
attack during this
> time, it will be difficult to tell from the IDS system
alone which attack is
> real and therefore where the real attack originated.
>
> Solution?
> Could you put firewall in front of the IDS that only
configured for Stateful
> Inspection (a simple LINUX box firewall)? (will this
cause the IDS to miss
> other attempted attacks as well).
>
>
>
>
> Vern Waltman
> JTF-CND Sr. Technical Analysts
> Litton TASC
> E-mail: waltmanvjtfcnd.ia.mil
> (703) 607-4050 ext. 4481
> FAX: (703) 607- 4009
>
>
> [ attachment: <A CLASS=slink
HREF="/templates/archive.pike?
part=.1&list=96&mid=166975&"> (text/html)</A> ]
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]