This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IDS vs IPS

Hi,

I think IDS is a very nice feature for Astaro V5, but:

- I don't want to be alerted that someone is hacking my computers.
- I want to be alerted that someone was trying to hack my computers.

This can be confusing, i know [:)]

The IDS, warns me of potencial unsafe packets if the rules aren't on drop mode right ?

So if i put those rules in block mode, I have an IPS [:)]
But do I also get a warning ?

Do you see any problem, if I just put all those rules to drop the packets ?

This thread was automatically locked due to age.

0 JimmyM over 21 years ago

If it drops, you get an alert as well as if it were set to alert alone.

There may be some legitimate traffic that shouldn't be blocked.
For instance...
Policy based rules. There's one in there for Anonymous FTP traffic. If you host anonymous FTP, there's a problem.

Also, logging into a windows server using 2000/XP will give an alert on rule 2404 (A NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt). But it's me that's creating the traffic, I don't want it dropped.
I get an alert on rule 2519 (A SMTP Client_Hello overflow attempt) sometimes when I'm sending mail via SSL on port 465. It shouldn't be dropped but it gives an alert anyway.

I'm sure there are other examples, but you get the idea.
Let it run in alert mode to see if there are any trends/patterns and re-evaluate your IDS/IPS policies from there.
Cancel
Vote Up 0 Vote Down

Cancel
0 FernandoNunes over 21 years ago

Hmm.. I think I'll do that... and btw I've already seen a block warning [:)]

Thkx
Cancel
Vote Up 0 Vote Down

Cancel