Re: IDS vs Application Proxy Firewal



alfredhuger@xxxxxxxxxxxxxx wrote:

Hopefully the open
source community will dig in and fix this for everyone else so they
can profit on it.

Alfred,
anomaly-based IDSs (let's consider the whole family, not just WAFs) have
been studied for a decade now and, apart for few isolated attempts, I
haven't seen any significant result neither from the open-source
community nor from commercial vendors.
Most vendors claim anomaly-detection features for their products because
they monitor behaviours within the network (mainly related to number of
connections per time frame etc.). Open-source tools such as Psyche can
do the same. Those approaches have been refined and work well enough to
be incorporated in commercial products, but definitely miss a lot of bad
things out there.
To detect attacks at payload-level (e.g., buffer overflow or SQL
Injection attacks), which are the nasty ones, you need to research a lot
before having something that works. I believe that those who make good
research on this topic are not going to release any stable version of
their POC tools, simply because they do not have time/interest to
develop something as complex as Snort (because that's the quality
standard nowadays).
During BH 2008 in Las Vegas, I attended the presentation of Breach about
ModProfiler, the supposed-to-be most significant attempt to bring
anomaly detection inside a mature software (and a quite famous one).
Well, if you had time, read this academic paper
http://www.cs.ucsb.edu/~vigna/publications/2005_kruegel_vigna_robertson_CN05.pdf
and you will find some similarities (btw, I asked to Ivan Ristic in
person about this and I couldn't "dig" too much out).
It took 3 years to have the open-source implementation of something that
fails in many circumstances (and I heard that from the mouth of one of
the original author of the paper :)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------