RE: Policy Based IDS

> I am looking for information on "Policy Based IDS" configuration where you

> define what is normal and acceptable behavior for the network segments
> you are protecting

< You need to acquire the ingress and egress metric of your own network and then set the anomalous threshold according to your metric. Or use someone else's suggestion or configuration.

>What are the pros and cons of "policy based IDS" over "rule based IDS"

Pros and Cons of policy based or statistical anomaly based IDS;

Pros

1. Detects fragmented packet attacks and other anomalies that signature or rule base can not pick up. Good for "Day 0" attacks.

Cons

1. You can DoS yourself with logs and other traffic if you do not configure correctly.
2. Potential High False Positive readings.

Pros and Cons of rule based or signature based IDS

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Pro

1. Signature based IDS have signature just like anti-virus software. This means if the IDS detects something, you will know what it is?
2. Updates readily available by manufacturer. At least, in most cases?

Cons

1. Relying on OEM for signature updates. This can also be a con.
2. Can not detect certain signatures such as fragmented attacks and day 0 attacks.

Plus others ...

You should use both devices together, monitor them continuously, and make sure to configure them correctly.

As for IPS, they are good but they still have some AI maturing to do before I can rely on them to make a "conscious" decision. Then again, it all depends on the needs of your network and who you are serving?

Regards,

Greg DeGennaro Jr., CCNP
Security Analyst

-----Original Message-----
From: Mark Fagan [mailto:r00t@online.ie] Sent: Wednesday, July 09, 2003 7:47 AM
To: NidsKid
Cc: focus-ids@securityfocus.com
Subject: Re: Policy Based IDS

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Hi All,

I know of a policy based "IPS" its named Okena, recently aquired by Cisco.

Works really well in Database / Web type enviornment.

Ping me off-list for further information, if interested.

Cheers

M  

Quoting NidsKid <mylesg@tinet.ie>:

>
>
> I am looking for information on "Policy Based IDS" configuration where you

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> define what is normal and acceptable behaviour for the network segments

> what problems did you encounter or overcome using this type of

--
-

> The Lightning Console aggregates IDS events, correlates them with

> vulnerability 


----------------------------------------------------------------------------
--
-

> 

> 





----------------------------------------------------------------------------
---
The Lightning Console aggregates IDS events, correlates them with
vulnerability 
info, reduces false positives with the click of a button, and distributes
this 
information to hundreds of users. 

Visit Tenable Network Security at 
http://www.tenablesecurity.com to learn
more.
----------------------------------------------------------------------------
---

-------------------------------------------------------------------------------
The Lightning Console aggregates IDS events, correlates them with vulnerability 
info, reduces false positives with the click of a button, and distributes this 
information to hundreds of users. 

Visit Tenable Network Security at 
http://www.tenablesecurity.com to learn more.
-------------------------------------------------------------------------------