Re: IPS comparison

[Ron Gula <rgula () tenablesecurity com>]

At 06:01 PM 8/29/2005, Stefano Zanero wrote:
> Daniel Cid wrote:
> > This "anomaly" detection will only detect 0-day
> > exploits for known vulnerabilities.
>
> A zero-day exploit is a curious marketing thing. You suddenly redefine a
> difficult problem (catching zero-days) as a rather simpler problem
> (create signatures that actually describe the vulnerability, which is
> what any signature worth your licensing cost should do).
>
> So, presto!, you can rush up and put out some rather nice marketing
> material on it.
>
> Fact is, anomaly detection is so rare that it's almost unexistant in the
> commercial products, except for limited forms of "protocol anomaly
> detection" and for Arbor's peakflow technology.

Two comments here.

- lot's of NIDS that tend to code for a vulnerability, don't actually
  code for the vulnerability. They are still writing attack signatures.
  The attack signatures are smarter than what was standard about five
  years ago, but I've yet to really see a NIDS come out of the box
  with full vuln/IDS correlation.

- I agree that "anomaly detection" != "zero day" detection. Just because
  my DNS server starts to connect to all the other hosts on my network,
  doesn't mean it has got a worm on it.

Ron Gula, CTO
Tenable Network Security


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------