Re: Need advices regarding signature tunning...



I reviewed several IDS/IPS products and I >concluded that there is two kind
of signatures languages.
First one, the simplest, allows attack detection >customization by changing
some value in the signature, or allows creating >new attack by adding a one
line rule (snort rule).

Abhi: In this type of IDS/IPS since you are creating new attack detection by adding one line. These rules will be prone to false positives.

Second one, the hardest, allows full signature >or new protocol state machine
development. by mean of a complete programming >language (N-code).

Abhi: If you are having a protocol parser then they you can ensure the signatures will be active only on the certain part of traffic. However since the IDS is perfroming protocol parsing, it might hit the performance for a system. Performance is an important factor for HIPS where the application and the IDS executes on the same computer.

I would like to know what are the pro/cons of using both methods. I would
appreciate some feedback from some real life experiences, if possible.

TIAI reviewed several IDS/IPS products and I concluded that there is two kind
of signatures languages.
First one, the simplest, allows attack detection customization by changing
some value in the signature, or allows creating new attack by adding a one
line rule (snort rule).
Second one, the hardest, allows full signature or new protocol state machine
development. by mean of a complete programming language (N-code).

I would like to know what are the pro/cons of using both methods. I would
appreciate some feedback from some real life experiences, if possible.

TIA

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------