Re: IDS detection approaches

[Stefano Zanero <s.zanero () securenetwork it>]

Nelson Brito wrote:
> I do agree that SNORT is one of the most popular when you are
> learning about IDS, but it is possible to attack the IDS engine in a
> very easy way: 1) evasion; 2) DoS; 3) Flse Positive; 4) you name
> it...

"Evasion" is a problem against any type of detection technology. Ditto
for denial of service.

Snort, being a misuse detector, does NOT usually have huge false
positive problems, it has bad rules or unwanted true positives instead.

> I think the best approach is when vendors get the knowledge of how
> the vulnerabilties work, 

This is just a mantra devoid of content. Even then, evasion, false
positives, noncontextual alerts and denial of service possibilities will
be there to stay.

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------