[nsp] FW Feture Set - reassembly in IDS

From: Maik Bachmann (maik@Ironmaik.COM)
Date: Wed Jan 09 2002 - 17:05:09 EST

Next message: isamar@isamarmaia.org: "RE: [nsp] How to block Nimda in PIX or router"
Previous message: Josh Duffek: "Re: [nsp] Asking a question regarding on 2 line of VPDN session multilink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Hi,

working on a test concept for FW-Fset I'm seeking for info on the
reassembly method the integrated IDS system is doing.
Don't mix with PIX or NetRanger IDS, they probably handle it quite different.
The method of reassembly will affect the way to test and interpret
test results in terms of false positives and others.

Probably it's doing at least reassembling frags, but whats about
  - reordering frags to come along in right sequence
  - stream reassembly
  - state tracking

Yes, I read Marcus paper on IDS benchmarking ;-)

I assume, CBAC is doing frag reassembly anyway (found this in the docu,
but nothing on IDS).

TIA
---Maik

-- 
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
_/ Maik Bachmann ---------------- secnetix GmbH & Co KG
_/ Oettingenstr. 2 -------------- D-80538 Muenchen
_/ Tel(priv.): +49-8093-2962 ---- Mobil: +49-172-8305649
_/ Email: bachmann@secnetix.de -- IRC: IronMaik 
_/ PGP KeyID: F7A67E11 ---------- PGP Fingerprint:
_/ CA 3B AA EB 7F 6F 7D 7A  54 D4 AA 01 82 8E 32 9C
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Next message: isamar@isamarmaia.org: "RE: [nsp] How to block Nimda in PIX or router"
Previous message: Josh Duffek: "Re: [nsp] Asking a question regarding on 2 line of VPDN session multilink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:28 EDT