Re: IDS vs Application Proxy Firewal
- From: Damiano Bolzoni <damiano.bolzoni@xxxxxxxxxx>
- Date: Sat, 25 Oct 2008 11:29:27 +0200
alfredhuger@xxxxxxxxxxxxxx wrote:
Hopefully the open
source community will dig in and fix this for everyone else so they
can profit on it.
Alfred,
anomaly-based IDSs (let's consider the whole family, not just WAFs) have
been studied for a decade now and, apart for few isolated attempts, I
haven't seen any significant result neither from the open-source
community nor from commercial vendors.
Most vendors claim anomaly-detection features for their products because
they monitor behaviours within the network (mainly related to number of
connections per time frame etc.). Open-source tools such as Psyche can
do the same. Those approaches have been refined and work well enough to
be incorporated in commercial products, but definitely miss a lot of bad
things out there.
To detect attacks at payload-level (e.g., buffer overflow or SQL
Injection attacks), which are the nasty ones, you need to research a lot
before having something that works. I believe that those who make good
research on this topic are not going to release any stable version of
their POC tools, simply because they do not have time/interest to
develop something as complex as Snort (because that's the quality
standard nowadays).
During BH 2008 in Las Vegas, I attended the presentation of Breach about
ModProfiler, the supposed-to-be most significant attempt to bring
anomaly detection inside a mature software (and a quite famous one).
Well, if you had time, read this academic paper
http://www.cs.ucsb.edu/~vigna/publications/2005_kruegel_vigna_robertson_CN05.pdf
and you will find some similarities (btw, I asked to Ivan Ristic in
person about this and I couldn't "dig" too much out).
It took 3 years to have the open-source implementation of something that
fails in many circumstances (and I heard that from the mouth of one of
the original author of the paper :)
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Follow-Ups:
- Re: IDS vs Application Proxy Firewal
- From: Omar Herrera
- Re: IDS vs Application Proxy Firewal
- References:
- Re: IDS vs Application Proxy Firewal
- From: alfredhuger@xxxxxxxxxxxxxx
- Re: IDS vs Application Proxy Firewal
- Prev by Date: Re: IDS vs Application Proxy Firewal
- Next by Date: Re: importing Snort rules into ISS RealSecure and/or Proventia?
- Previous by thread: Re: IDS vs Application Proxy Firewal
- Next by thread: Re: IDS vs Application Proxy Firewal
- Index(es):
