Prev: Watchguard X500, dns error
Next: FIX: Wireless access point on IPcop Blue network
From: leonardodiserpierodavinci on 18 Jan 2008 11:35
Hi,

Do you know any solution (better if open source) to compare IDS and
IPS logs in such a way that IDS logs are used to automatically enforce
IPS rules?
I googled around but all I found was a reference to SnortAlog.
Thanks in advance for any hint.

L

From: Sebastian G. on 18 Jan 2008 11:43
leonardodiserpierodavinci(a)gmail.com wrote:


> Do you know any solution (better if open source) to compare IDS and
> IPS logs in such a way that IDS logs are used to automatically enforce
> IPS rules?


An Intrusion Protection System is typically defined as a combination of an
IDS and an automatic rule creation as reaction to the IDS log entries.

At any rate, over the time this hasn't become any less stupid. So better
think twice and abandon this idea.
From: Arjun on 21 Jan 2008 04:30
try out ISS proventia solution there u can have both simulation and in
line mode....may be that could be of gr8 help to u..
From: leonardodiserpierodavinci on 21 Jan 2008 05:48
On Jan 18, 5:43 pm, "Sebastian G." <se...(a)seppig.de> wrote:
> An Intrusion Protection System is typically defined as a combination of an
> IDS and an automatic rule creation as reaction to the IDS log entries.
>
> At any rate, over the time this hasn't become any less stupid. So better
> think twice and abandon this idea.

You mean because of the circular dependency?
Do you have other suggestions?
Thanks for your answer.
From: Sebastian G. on 21 Jan 2008 13:29
leonardodiserpierodavinci(a)gmail.com wrote:

> On Jan 18, 5:43 pm, "Sebastian G." <se...(a)seppig.de> wrote:
>> An Intrusion Protection System is typically defined as a combination of an
>> IDS and an automatic rule creation as reaction to the IDS log entries.
>>
>> At any rate, over the time this hasn't become any less stupid. So better
>> think twice and abandon this idea.
>
> You mean because of the circular dependency?


No, because of spoofing. Consider that an IPS blocks automatically every
hosts that seems to attack them. Now, as an attacker, I'd spoof all relevant
legitimate hosts, and the IPS would block access to them - a wonderful
Denial of Service, trademark "self-created". Without a whitelist, you'll
even disconnect yourself from your very own hosts, f.e. a DNS server.

> Do you have other suggestions?


Dump the idea of an IPS for the mentioned reasons. Carefully calculate the
actual costs of sensibly reading and evaluating the IDS output, and compare
it to the marginal security benefits it offers - and most likely you'll end
up dumping the IDS as well.
 |  Next  |  Last
Pages: 1 2
Prev: Watchguard X500, dns error
Next: FIX: Wireless access point on IPcop Blue network