Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Definition of Zero Day Protection

Re: Definition of Zero Day Protection

From: Andy Cuff <lists_at_securitywizardry.com>
Date: Mon, 9 Aug 2004 23:42:29 +0100

Hi all,
With regard to host IPS they often refer to methods to reduce the likelihood
of a buffer overflow as "Zero Day" protection, however, judging by the
claims in the Phrack article "Bypassing 3rd Party Windows Buffer Overflow
Protection "
http://www.phrack.org/phrack/62/p62-0x05_Bypassing_Win_BufferOverflow_Protection.txt
their success varies. (biting tongue)

-andy
Talisker's Computer Security Portal
Computer Network Defence Ltd
http://www.securitywizardry.com

----- Original Message -----
From: "Teicher, Mark (Mark)" <teicher_at_avaya.com>
To: "Drew Simonis" <simonis_at_myself.com>; <focus-ids_at_securityfocus.com>
Cc: "Seanor, Joseph (Joe)" <jseanor_at_avaya.com>
Sent: Monday, August 09, 2004 8:14 PM
Subject: RE: Definition of Zero Day Protection

Drew,

What host based products would fit this category based on the definition
?? Do they really work ??

-----Original Message-----
From: Drew Simonis [mailto:simonis_at_myself.com]
Sent: Monday, August 09, 2004 01:07 PM
To: Teicher, Mark (Mark); focus-ids_at_securityfocus.com
Cc: Seanor, Joseph (Joe)
Subject: Re: Definition of Zero Day Protection

----- Original Message -----
From: "Teicher, Mark (Mark)"
Date: Sun, 8 Aug 2004 19:47:48 -0600
Subject: Definition of Zero Day Protection

> What is Zero Day Protection

It is, as you stated, another marketing blurb, but it isn't just that.
Usually, this bit of jargon is applied to a detection/prevention system
that uses things like heuristic detection techniques, behavior based
detection, protocol anomoly or some other advanced methods. These allow
the activity to be blocked or alerted on, as opposed to the specific
event.

So, for example, a worm can be characterized by certain activity. Say,
opening connections to lots of remote hosts in a short period of time.
This behavior can be blocked (e.g. the process can be killed) even
without knowing that it was WormX.

hth,
-Ds

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Received on Aug 11 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]