[svlug] Proxy/Forwarding tool/code
rick at linuxmafia.com
Wed Aug 30 21:53:01 PDT 2000
begin J C Lawrence quotation:
> A damned interesting (and seemingly very perceptive) product per my
> play with it here (thinking about it for a current client). There's
> precious little being done in the Open Source arena for real IDS
> tools, and most especially for NIDS tools.
I really doubt the latter work properly.
In order for them to function, NIDS suites have to (among other things)
reassemble incoming fragmented packet streams, and deal correctly with
a tremendous variety of malformed traffic. For starters, that can take
a great deal of processing power, and it strains credulity that typical
boxen devoted to that purpose will be able to keep up.
Of course, also, a number of attacks and probes _rely_ on malformed
traffic. Evaluations of such tools I've heard suggest that they tend to
ignore much of that malformed traffic, which is _not_ the right thing to
I lean towards suspecting it's snake oil (and would in general terms
favour the host-based approach). But then, snake oil is woefully
prevalent in this field.
Cheers, "Teach a man to make fire, and he will be warm
Rick Moen for a day. Set a man on fire, and he will be warm
rick at linuxmafia.com for the rest of his life." -- John A. Hrastar
More information about the svlug