Re: IPS comparison

From: Sanjay Rawat (sanjayr_at_intoto.com)
Date: 08/30/05

  • Next message: Stefano Zanero: "Re: IPS comparison"
    Date: Tue, 30 Aug 2005 09:52:27 +0530
    To: Stefano Zanero <s.zanero@securenetwork.it>, Focus-Ids Mailing List <focus-ids@securityfocus.com>
    
    

    Hi Stefano:
    I got confused over one comment made by you: "First hint of the day: if
    there is a regexp there, it's NOT anomaly
    detection." why it is so? I can use association or frequent episode rules
    to capture normal behavior (you know this), and I can use regexp to
    represent such rules. in this case, it is anomaly based detection with
    regexp. Am I missing something?

    Regards
    Sanjay

    At 03:36 AM 8/30/2005, Stefano Zanero wrote:
    >Joey Peloquin wrote:
    >
    > > I'm evaluating TippingPoint's device right now, and that's not entirely
    > > true. The only *static* signatures used are the AV, Spyware, IM, and
    > > P2P filters. Everything else is anomaly-based, through the use of
    > > regex,
    >
    >First hint of the day: if there is a regexp there, it's NOT anomaly
    >detection.
    >
    > > and the vulnerabilities themselves.
    >
    >Second hint of the day: if the "description of vulnerabilities" is in
    >there somewhere, that means "misuse based" detection. Anomaly based
    >detection happens when you have a model of what is good, and declare
    >what is not good to be bad.
    >
    > > This is why TP claims the
    > > ability to stop so-called 0-day attacks.
    >
    >They can also claim the throne of the kingdom of Hackerhood, but
    >nevertheless, this is nothing of the kind.
    >
    > > In fact all vendors who claim the ability to stop 0-day attacks do so
    > > because they are supposed to be filtering on the vulnerability
    >
    >And then they are just deluding their customers.
    >
    > > of these devices is the fact that they do "deep packet inspection",
    > > rather than a protcol decode and "best guess" based on irregularities in
    > > the way it's supposed to function.
    >
    >That's called "protocol anomaly detection", and you can find rants about
    >it by googling...
    >
    >Best,
    >Stefano Zanero
    >---------------------------
    >Secure Network S.r.l.
    >www.securenetwork.it
    >
    >------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it
    >with real-world attacks from CORE IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >------------------------------------------------------------------------

    Sanjay Rawat
    Senior Software Engineer
    INTOTO Software (India) Private Limited
    Uma Plaza, Above HSBC Bank, Nagarjuna Hills
    PunjaGutta,Hyderabad 500082 | India
    Office: + 91 40 23358927/28 Extn 422
    Website : www.intoto.com
       Homepage: http://sanjay-rawat.tripod.com

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: Stefano Zanero: "Re: IPS comparison"

    Relevant Pages

    • Re: Using Snort to find creditcard data?
      ... the regexp based detection technologies can produce high rates of false ... It's not uncommon for data leaks to ... Detecting suspicious flows is a good idea anyway - with or without ... available specification based detection such as regexp detects, ...
      (Focus-IDS)
    • Re: IPS comparison
      ... > rules to capture normal behavior, and I can use regexp ... "If there is a GIVEN SET of regexp there, it's not anomaly detection" ... Stefano Zanero ...
      (Focus-IDS)