[Dshield] InMon Corp.'s internal IDS

Bo Mendenhall Bo.Mendenhall at hsc.utah.edu
Thu Apr 29 06:00:13 GMT 2004


>From http://www.inmon.com/traffic-management/0190.html 

When loading Snort rules into Traffic Server you need to keep in mind
that 
Traffic Server is seeing only sampled packet headers. Any rule that
looks 
further than 128 bytes into the packet is unlikely to fire since most
sFlow 
implementations only capture the first 128 bytes of the packet. In
addition, 
connection following is impossible since packets are randomly sampled,
so 
any rules that depend on stateful packet inspection will fail. 

It appears to have some legitimate use depending on what you are tyring
to get out of it ;)

Bo

>>> peteoutside at yahoo.com 4/28/2004 6:21:16 AM >>>
Greetings List,
 
Just saw the following this morning:
 
The InMon corporation has developed an IDS solution which monitors
internal traffic flow instead of just the perimeter in order to catch
worms and such.
 
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20040427005849&newsLang=en


Your thoughts and comments on this are invited.
 
For myself, I wonder if this must involve some level of anomaly
detection, and if so, I wonder by what methods they assess what is
"anomalous enough."  Same problems I've been working on since I entered
this field (of course, that was only six months ago).
 
Regards,
 
Pete

		
---------------------------------
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs 
_______________________________________________
list mailing list
list at lists.dshield.org 
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list