Re: IPS comparison

From: Stefano Zanero (s.zanero_at_securenetwork.it)
Date: 08/30/05

  • Next message: Ron Gula: "Re: IPS comparison" 
    Date: Tue, 30 Aug 2005 00:06:17 +0200
To: Joey Peloquin <joeyp@cotse.net>, Focus-Ids Mailing List <focus-ids@securityfocus.com>

    Joey Peloquin wrote:

    > I'm evaluating TippingPoint's device right now, and that's not entirely
    > true. The only *static* signatures used are the AV, Spyware, IM, and
    > P2P filters. Everything else is anomaly-based, through the use of
    > regex,

    First hint of the day: if there is a regexp there, it's NOT anomaly
    detection.

    > and the vulnerabilities themselves.

    Second hint of the day: if the "description of vulnerabilities" is in
    there somewhere, that means "misuse based" detection. Anomaly based
    detection happens when you have a model of what is good, and declare
    what is not good to be bad.

    > This is why TP claims the
    > ability to stop so-called 0-day attacks.

    They can also claim the throne of the kingdom of Hackerhood, but
    nevertheless, this is nothing of the kind.

    > In fact all vendors who claim the ability to stop 0-day attacks do so
    > because they are supposed to be filtering on the vulnerability

    And then they are just deluding their customers.

    > of these devices is the fact that they do "deep packet inspection",
    > rather than a protcol decode and "best guess" based on irregularities in
    > the way it's supposed to function.

    That's called "protocol anomaly detection", and you can find rants about
    it by googling...

    Best,
    Stefano Zanero
    ---------------------------
    Secure Network S.r.l.
    www.securenetwork.it

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: Ron Gula: "Re: IPS comparison"

    Relevant Pages

    • Re: Lyman alpha question
      ... deeper in U would there eventually be a detection but just at a much ... Heres the gcn example Im citing from that Im trying to figure out... ... The photometry results are given for the 7 filters below: ... 84 nm blueward of the Lyman break in this case), ...
      (sci.astro)
    • Re: Lyman alpha question
      ... Also, depending on the emission spectrum, ... afterglow in all other filters maybe. ... B being closer to the L break be the brighter detection with the ... of a z=3 interpretation until such time that they supply ...
      (sci.astro)
    • Re: Lyman alpha question
      ... deeper in U would there eventually be a detection but just at a much ... Heres the gcn example Im citing from that Im trying to figure out... ... The photometry results are given for the 7 filters below: ... 84 nm blueward of the Lyman break in this case), ...
      (sci.astro)
    • Re: Lyman alpha question
      ... deeper in U would there eventually be a detection but just at a much ... Heres the gcn example Im citing from that Im trying to figure out... ... The photometry results are given for the 7 filters below: ... Also, depending on the emission spectrum, ...
      (sci.astro)