RE: Anomaly Based Network IDS
From: Drew Copley (dcopley_at_eEye.com)
Date: 06/23/04
- Previous message: Thierry Evangelista: "RE: ssh and ids"
- Maybe in reply to: Joe Dauncey: "Anomaly Based Network IDS"
- Next in thread: Drew Copley: "RE: Anomaly Based Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 23 Jun 2004 13:25:39 -0700 To: <focus-ids@securityfocus.com>, <secdistlist@dauncey.net>
> -----Original Message-----
> From: Drew Copley
> Sent: Tuesday, June 22, 2004 8:35 PM
> To: 'Wozny, Scott (US - New York)';
> focus-ids@securityfocus.com; secdistlist@dauncey.net
> Subject: RE: Anomaly Based Network IDS
>
>
>
> > -----Original Message-----
> > From: Wozny, Scott (US - New York) [mailto:swozny@deloitte.com]
> > Sent: Tuesday, June 22, 2004 2:32 PM
> > To: Drew Copley; Aaron Jordan; focus-ids@securityfocus.com;
> > secdistlist@dauncey.net
> > Subject: RE: Anomaly Based Network IDS
> >
> > Semantics aside I find the smoke and mirrors aspect of this
> technology
> > fascinating. The bottom line is this. The heart of
> anomaly based IDS
> > is to tell you that your network traffic patterns (from what you're
> > feeding the device) are noticeably different today than they were
> > yesterday (or an hour ago or 5 minutes ago or whatever).
> > While this is
> > an interesting value proposition it's an addition to, not a
> > replacement
> > for, classical signature based IDS (or IPS if you're brave)
> that those
> > in the trenches rely upon every day to tell them who is knocking at
> > their doors and who brought in an infected laptop from home that's
> > raising hell on the intranet. If an exploit is released for a
> > vulnerability that isn't known in the security community
> (specifically
> > the signature-based vendors) yet then anomaly based IDS does
> > have a real
> > opportunity to be your first warning that something is amiss.
>
> [Noting that the original post was from lancope itself, posing
> as an actual customer that had "found zero day vulneribilities" --
> one of the most absurd and misinformed lines I have heard in a
> long time... noting and moving on.]
>
> There are several chances to "find" zero day. This is not a
> semantical issue, at all. It is a very critical issue.
>
> If people are clutching to smoke and mirrors, they will find
> themselves in deep water when the ship is sinking. To continue
> with the analogy.
>
> Anyway, you are right, the technology is advancing, here is
> a more fresh article with a less entertaining and pertinant
> title:
>
> http://www.nwc.securitypipeline.com/howto/showArticle.jhtml?ar
> ticleId=17602432&pgno=1
>
> Lancope's StealthWatch gets a C+, btw.
<snip>
I should note, ordinarily, I would never point out such things.
I have not tested out Lancope's StealthWatch, and have no idea
of how good or bad it was. Reviews can often be unfair -- they
can get a bad build, or they can represent a product far behind
what soon to be revealed future fixes will show. They represent
a version in a static point in time... often times a version just
before this version reviewed or the version a few months after
the review will have the bad issues solved.
Sometimes, not. But, often so. Such is a secondary benefit of
the reviewing process -- major bugs are forced into the spotlight.
As, I am sure we all realize, the forged post was made by a single,
ambitious but misinformed individual -- as it reeks of. My general
comments
were not stated with Lancope in mind, at all... whose product
I have admittedly not tested.
So, just to be fair.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Thierry Evangelista: "RE: ssh and ids"
- Maybe in reply to: Joe Dauncey: "Anomaly Based Network IDS"
- Next in thread: Drew Copley: "RE: Anomaly Based Network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
