Anyone here play with one of these yet?

  • administrators

    This thing looks quite interesting, has anyone here had a chance to play with one yet?

    I’ve demoed a few different Intrusion Detection products, but they usually have 2 problems, poor performance and LOTS of false positives. Interestingly enough, the best solution I’ve found so far is Snort (, but it requires a ton of tweaking and setup to get it working correctly in a large environment. And it still suffered from performance problems, but not nearly as bad as some of the other products I tried (though this may have been fixed with the rule compiler that was just released for it).

    I’d be very curious to see IDP’s ability to weed out the false positives though. Busy networks throw a ton of false positives with all the products I’ve tried, which makes reatime alerting nearly useless with most products, and fill your alert database so full of crap that it’s hard to pick out the stuff you really need to worry about. Even a sales rep (from a vendor I won’t name) admitted that their product threw false positives, but since all other products do, it’s okay. Probably not the way to sell a product, but at least he was honest about it. 🙂

    Someone, please post your experiences with this.

  • Anyone got any idea how the IDP would compare against something like ISS RealSecure running on a Nokia appliance??


  • I’ve had a chance to play with it some. It uses quite a few innovative techniques to reduce the false positives. The best one I know of is context filtering/protocol statefulness (I don’t know thier Marketing term for it). I’ll use one of thier examples to demonstrate:

    The SNMP command ‘EXPN’ can be used to ‘expand’ information on a particular account serviced by the SMTP server. Sometimes, an ‘EXPN root’ will give an attacker clues on what things to try for brute force or social engineering attacks. Running EXPN against an alias typically brings back all members of that alias - good for snarfing up emails for spam, or recruiting.

    Most IDS, then, look for the “EXPN” string on port 25 (SMTP), and call it an ‘EXPN attack’.

    But what if you cut and pasted my description above and sent it as an email to someone else, saying, “Hey, check out this EXPN attack!” - most IDS would flag your email as an attack, since your mail went over port 25, and contained the text in question.

    IDP allows you to specify where in the overall session to look for a particular string - in this case, the only place to worry about it is during the SMTP command state, not the data state (where your email text is passed). This capability significantly reduces the number of false positives.

    There’s a bunch of other things that make this substantially better than Snort and other IDS’s (although I admit to running Snort at home - heck, it’s free). The primary engine for it is a kernal module, riding right on top of the device drivers, so it’s quite fast (but still a lot slower than NetScreen firewalls).

    Rumor has it they’re working on putting this on an ASIC or similar silicon, which would make the speed issue somewhat moot. 😉