This paper discusses the limitations of network intrusion detection (ID) systems, which rely on passive protocol analysis to detect intrusions. Passive protocol analysis involves monitoring network traffic to identify suspicious patterns, but it is fundamentally flawed due to insufficient information on the wire and the system's "fail-open" nature. The authors define three types of attacks that exploit these flaws: insertion, evasion, and denial of service (DoS) attacks. These attacks can bypass ID systems, making them unreliable. The paper presents tests showing that all four most popular ID systems are vulnerable to these attacks. The authors argue that network ID systems cannot be fully trusted until they are fundamentally redesigned. The paper also discusses the CIDF model of intrusion detection systems, which includes components like event generators, analysis engines, storage mechanisms, and countermeasures. It highlights the challenges of passive protocol analysis, including ambiguities in packet interpretation and the difficulty of accurately reconstructing what is happening on a computer system. The paper also discusses the need for reliable intrusion detection, the vulnerabilities of ID systems, and the specific problems with passive protocol analysis. The authors describe three types of attacks against sniffer-based network ID systems: insertion, evasion, and DoS attacks. These attacks can disrupt or disable the system, making it ineffective. The paper concludes that network ID systems are inherently vulnerable to these attacks and that they need to be fundamentally redesigned to be reliable.This paper discusses the limitations of network intrusion detection (ID) systems, which rely on passive protocol analysis to detect intrusions. Passive protocol analysis involves monitoring network traffic to identify suspicious patterns, but it is fundamentally flawed due to insufficient information on the wire and the system's "fail-open" nature. The authors define three types of attacks that exploit these flaws: insertion, evasion, and denial of service (DoS) attacks. These attacks can bypass ID systems, making them unreliable. The paper presents tests showing that all four most popular ID systems are vulnerable to these attacks. The authors argue that network ID systems cannot be fully trusted until they are fundamentally redesigned. The paper also discusses the CIDF model of intrusion detection systems, which includes components like event generators, analysis engines, storage mechanisms, and countermeasures. It highlights the challenges of passive protocol analysis, including ambiguities in packet interpretation and the difficulty of accurately reconstructing what is happening on a computer system. The paper also discusses the need for reliable intrusion detection, the vulnerabilities of ID systems, and the specific problems with passive protocol analysis. The authors describe three types of attacks against sniffer-based network ID systems: insertion, evasion, and DoS attacks. These attacks can disrupt or disable the system, making it ineffective. The paper concludes that network ID systems are inherently vulnerable to these attacks and that they need to be fundamentally redesigned to be reliable.