Re: IPS comparison

From: Mike Poor (mike_at_intelguardians.com)
Date: 08/30/05

  • Next message: David J. Bianco: "Re: Snortcenter, Prelude-IDS - How does it compare to Sguil?" 
    Date: Tue, 30 Aug 2005 19:52:59 +0900
To: Stefano Zanero <s.zanero@securenetwork.it>, Daniel Cid <danielcid@yahoo.com.br>, Focus-Ids Mailing List <focus-ids@securityfocus.com>

    I just got done testing a number of IPS devices using simple publicly
    available tools such as metasploit, fragroute, and bot commands. I think
    before we start worrying about IPS systems blocking arkane, rare, and even
    zero day attacks... they need to start by blocking attacks that have been
    out since 1999!

    Mike

    --On Tuesday, August 30, 2005 12:01 AM +0200 Stefano Zanero
    <s.zanero@securenetwork.it> wrote:

    > Daniel Cid wrote:
    >> This "anomaly" detection will only detect 0-day
    >> exploits for known vulnerabilities.
    >
    > A zero-day exploit is a curious marketing thing. You suddenly redefine a
    > difficult problem (catching zero-days) as a rather simpler problem
    > (create signatures that actually describe the vulnerability, which is
    > what any signature worth your licensing cost should do).
    >
    > So, presto!, you can rush up and put out some rather nice marketing
    > material on it.
    >
    > Fact is, anomaly detection is so rare that it's almost unexistant in the
    > commercial products, except for limited forms of "protocol anomaly
    > detection" and for Arbor's peakflow technology.
    >
    > Best,
    > Stefano Zanero
    > ---------------------------
    > Secure Network S.r.l.
    > www.securenetwork.it
    >
    > ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > ------------------------------------------------------------------------
    >
    >

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

  • Next message: David J. Bianco: "Re: Snortcenter, Prelude-IDS - How does it compare to Sguil?"

    Relevant Pages

    • Recomended Anomaly Detection Software
      ... I would like to know if there is someone that would recommend a piece of ... software that does a good job at anomaly detection? ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: IDS evaluations procedures
      ... talking about network anomaly detection? ... What kind of anomaly detection are you trying to test? ... > Find out quickly and easily by testing it with real-world attacks from ... > CORE IMPACT. ...
      (Focus-IDS)
    • Re: Sessions Resource Exhaustion
      ... session resources in some firewall and IPS devices. ... IPS devices addressing small business market segments seems to be ... any new connections if all 10000 sessions are used up. ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: Wishlist for IPS Products
      ... > recall a discussion on the primary features that an IPS should have ... > - Anomaly detection ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: Tracking back internal incidents to users, not IPs
      ... Note that I am assuming that the source is a DHCP system here (otherwise ... Note that I would take an open source or a commercial product as a ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)