"Zow" Terry Brugger wrote:

> Unless it is a transparent application proxy,

Given. Still, it works at the application layer, otherwise it is a
cunningly-renamed stateful firewall which performs deep inspection.

> Unless it is an IPS, in which case

In which case it is not an IDS, and thus not in scope with the original
question :)

> The difference I'd see is that network IDS/IPS devices typically look
> for specific signatures (sequences of bytes, regular expressions,
> certain flags set in the headers, etc) on a session (TCP, UDP, ICMP)
> or network (IP) level packet.

Counterexamples: Arbor, Lancope

> Most can do some degree of session
> reassembily, but only in so far as to catch signatures which are
> divided across multiple packets.

I'm pretty sure that Martin Roesch, if he reads, will have something to
say here :)

--
Cordiali saluti,

Ing. Stefano Zanero, PhD
CTO & Co-Founder

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI)
Phone: +39 02.24126788
Fax: +39 02.24126789
email: s.zanero (at) securenetwork (dot) it [email concealed]
web: www.securenetwork.it

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------

[ reply ]