Intrusion Detection Systems mailing list archives

Re: Assessment tools/Scanners

From: dugsong () monkey org (Dug Song)
Date: Sat, 9 Oct 1999 15:37:57 -0400 (EDT)



On Fri, 8 Oct 1999, Ryan M. Ferris wrote:

A comprehensive security assessment tool specifically to compare IDS
is generally not available although Anzen is pushing something like
this.


what we're pushing for is a better understanding of the failure modes
these products have, and the development of better quality metrics to be
able to quantitatively characterize these systems. see

        http://www.monkey.org/~dugsong/talks/ids/

for an "Intrusion Detection 101" presentation that identifies several
specific and overarching concerns.

for a good qualitative IDS comparison, see Kathleen Jackson's commercial
IDS evaluation matrix for Los Alamos Nat'l Lab, a snippet of which is
available at

        http://www.anzen.com/news/anzen_chart.pdf

All IDS products are developed with internal test suites that determine
whether or not a given IDS signature works.


but the problem is that vendors aren't using or developing test suites
that determine how their systems FAIL. this is evident from the ways we've
found to trivially elude them.

-d.

Current thread:

cybercop sting Isman (Oct 07)
- Assessment tools/Scanners bgmiller (Oct 07)
  - Re: Assessment tools/Scanners Greg Shipley (Oct 08)
    - Re: Assessment tools/Scanners Ryan M. Ferris (Oct 08)
    - Re: Assessment tools/Scanners Ron Gula (Oct 09)
    - Re: Assessment tools/Scanners Dug Song (Oct 10)
    - Re: Assessment tools/Scanners Dug Song (Oct 09)
    - RE: Assessment tools/Scanners Brian Laing (Oct 09)
  - CIGNA Co-op Janack, Matthew B CPC11 (Oct 08)
  - Re: Assessment tools/Scanners Carric Dooley (Oct 08)
- <Possible follow-ups>
- RE: cybercop sting Staggs, Michael (Oct 08)
- RE: RE: cybercop sting Endler, David S (Oct 08)
  - Re: RE: RE: cybercop sting Eric (Oct 09)
- Re: RE: RE: cybercop sting Bill Martin (Oct 10)
- Re: Fw: cybercop sting Isman (Oct 11)