Re: IPS comparison
From: Sanjay Rawat (sanjayr_at_intoto.com)
Date: 08/30/05
- Previous message: Ron Gula: "Re: IPS comparison"
- In reply to: Stefano Zanero: "Re: IPS comparison"
- Next in thread: Stefano Zanero: "Re: IPS comparison"
- Reply: Stefano Zanero: "Re: IPS comparison"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Aug 2005 09:52:27 +0530 To: Stefano Zanero <s.zanero@securenetwork.it>, Focus-Ids Mailing List <focus-ids@securityfocus.com>
Hi Stefano:
I got confused over one comment made by you: "First hint of the day: if
there is a regexp there, it's NOT anomaly
detection." why it is so? I can use association or frequent episode rules
to capture normal behavior (you know this), and I can use regexp to
represent such rules. in this case, it is anomaly based detection with
regexp. Am I missing something?
Regards
Sanjay
At 03:36 AM 8/30/2005, Stefano Zanero wrote:
>Joey Peloquin wrote:
>
> > I'm evaluating TippingPoint's device right now, and that's not entirely
> > true. The only *static* signatures used are the AV, Spyware, IM, and
> > P2P filters. Everything else is anomaly-based, through the use of
> > regex,
>
>First hint of the day: if there is a regexp there, it's NOT anomaly
>detection.
>
> > and the vulnerabilities themselves.
>
>Second hint of the day: if the "description of vulnerabilities" is in
>there somewhere, that means "misuse based" detection. Anomaly based
>detection happens when you have a model of what is good, and declare
>what is not good to be bad.
>
> > This is why TP claims the
> > ability to stop so-called 0-day attacks.
>
>They can also claim the throne of the kingdom of Hackerhood, but
>nevertheless, this is nothing of the kind.
>
> > In fact all vendors who claim the ability to stop 0-day attacks do so
> > because they are supposed to be filtering on the vulnerability
>
>And then they are just deluding their customers.
>
> > of these devices is the fact that they do "deep packet inspection",
> > rather than a protcol decode and "best guess" based on irregularities in
> > the way it's supposed to function.
>
>That's called "protocol anomaly detection", and you can find rants about
>it by googling...
>
>Best,
>Stefano Zanero
>---------------------------
>Secure Network S.r.l.
>www.securenetwork.it
>
>------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it
>with real-world attacks from CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>------------------------------------------------------------------------
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Ron Gula: "Re: IPS comparison"
- In reply to: Stefano Zanero: "Re: IPS comparison"
- Next in thread: Stefano Zanero: "Re: IPS comparison"
- Reply: Stefano Zanero: "Re: IPS comparison"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
