Re: IPS comparison
From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 08/30/05
- Previous message: Stefano Zanero: "Re: IPS comparison"
- In reply to: Stefano Zanero: "Re: IPS comparison"
- Next in thread: Adam Powers: "Re: IPS comparison"
- Reply: Adam Powers: "Re: IPS comparison"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Aug 2005 20:55:44 -0400 To: Focus-Ids Mailing List <focus-ids@securityfocus.com>
At 06:01 PM 8/29/2005, Stefano Zanero wrote:
>Daniel Cid wrote:
> > This "anomaly" detection will only detect 0-day
> > exploits for known vulnerabilities.
>
>A zero-day exploit is a curious marketing thing. You suddenly redefine a
>difficult problem (catching zero-days) as a rather simpler problem
>(create signatures that actually describe the vulnerability, which is
>what any signature worth your licensing cost should do).
>
>So, presto!, you can rush up and put out some rather nice marketing
>material on it.
>
>Fact is, anomaly detection is so rare that it's almost unexistant in the
>commercial products, except for limited forms of "protocol anomaly
>detection" and for Arbor's peakflow technology.
Two comments here.
- lot's of NIDS that tend to code for a vulnerability, don't actually
code for the vulnerability. They are still writing attack signatures.
The attack signatures are smarter than what was standard about five
years ago, but I've yet to really see a NIDS come out of the box
with full vuln/IDS correlation.
- I agree that "anomaly detection" != "zero day" detection. Just because
my DNS server starts to connect to all the other hosts on my network,
doesn't mean it has got a worm on it.
Ron Gula, CTO
Tenable Network Security
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Stefano Zanero: "Re: IPS comparison"
- In reply to: Stefano Zanero: "Re: IPS comparison"
- Next in thread: Adam Powers: "Re: IPS comparison"
- Reply: Adam Powers: "Re: IPS comparison"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
