IDS mailing list archives
RE: Definition of Zero Day Protection
From: "Brian Smith" <bsmith () tippingpoint com>
Date: Mon, 9 Aug 2004 15:45:29 -0500
It's important to distinguish between zero day exploits and zero day vulnerabilities. Zero day exploits exploit a known vulnerability with a new exploit (like Code Red vs. Code Red II). Zero day vulnerabilities are flaws in software that no one knows about except the attacker. Several products (TippingPoint, MacAfee, ISS, to name a few) can detect and block zero day exploits by detecting network traffic that tries to exploit the underlying vulnerability. These all work by decoding the application request and checking that the network traffic is attempting to exploit the underlying vulnerability. Zero day vulnerabilities are another animal entirely. These are detected (if at all) by noticing statistical or behavioral anomalies. For example, they might detect a sudden surge in UDP traffic destined for a particular port, or notice that two machines are starting to communicate on a port that they've never used before. There's no known way to surgically block just the bad traffic in that case. As Steve says, blocking traffic detected by behavioral/statistical anomalies will sometimes block new applications. Several products offer mitigation strategies to limit the new traffic's ability to impact existing applications (e.g., they might rate limit the UDP traffic to 1 Mbps so it doesn't swamp you network), but I don't know of any product that can block zero day vulnerabilities with blocking legitimate traffic. If a vendor thinks their product can block zero day vulnerabilities without blocking legitimate traffic, please post the details of how your product works. I'm sure everyone here would love to get some hard facts on this type of technology. Brian Smith -----Original Message----- From: Carey, Steve T GARRISON [mailto:steven-carey () us army mil] Sent: Monday, August 09, 2004 12:27 PM To: Teicher, Mark (Mark) Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com Subject: RE: Definition of Zero Day Protection Would say they are 'misguided', they believe it. But from the different IDS and IPS systems I have tested and used, the IPS CAN stop attacks, however, if someone in your organization starts using a new software, it may get stopped by the IPS. Also, if the Zero Day Exploit is on the encrypted side, like ssl, then no it wouldn't stop it. There is some new technology being worked concerning Kernel Protection that comes close, but still is being worked. The biggest problem with Zero Day Protection is encrypted programs. Host based programs can work, but still believe that as of today it is still going to take a human to ensure Zero Day Protection (provided they have the necessary tools to do it with). Steve -----Original Message----- From: Teicher, Mark (Mark) [mailto:teicher () avaya com] Sent: Monday, August 09, 2004 12:14 PM To: Carey, Steve T GARRISON Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com Subject: RE: Definition of Zero Day Protection Marketing ploy?? You mean marketing people don't state the truth about Zero Day Protection and how it works ?? /mark -----Original Message----- From: Carey, Steve T GARRISON [mailto:steven-carey () us army mil] Sent: Monday, August 09, 2004 11:08 AM To: Teicher, Mark (Mark) Cc: Seanor, Joseph (Joe); focus-ids () securityfocus com Subject: RE: Definition of Zero Day Protection My own personal opinion, based on 7 years of experience in intrusion detection, is that it is a marketing ploy. Only way to ensure Zero Day Protection is to use a 'suite' of IDS tools and have an analyst looking at those logs 24/7 to find the Zero Day Exploit. Vendors can state they prevent Zero Day Exploits but to do that you can also stop legitimate traffic. Maybe sometime in the future that can happen, but not today. Steve Carey -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Definition of Zero Day Protection, (continued)
- Re: Definition of Zero Day Protection Drew Simonis (Aug 09)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- RE: Definition of Zero Day Protection Michal Zalewski (Aug 10)
- Re: Definition of Zero Day Protection Ranjeet Shetye (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- Re: Definition of Zero Day Protection Andy Cuff (Aug 11)
- RE: Definition of Zero Day Protection Drew Copley (Aug 09)
- Re: Definition of Zero Day Protection Devdas Bhagat (Aug 13)
- RE: Definition of Zero Day Protection Fulp, J.D. USA (Aug 09)
- RE: Definition of Zero Day Protection Joshua Berry (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 10)
- RE: Definition of Zero Day Protection Brian Smith (Aug 10)
- RE: Definition of Zero Day Protection Drew Copley (Aug 10)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Johnny Calhoun (Aug 16)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Stefano Zanero (Aug 17)
- Re: A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 17)
- A Network IPS Proposal (was Definition of Zero Day Protection) Shaiful (Aug 13)
- RE: Definition of Zero Day Protection Drew Simonis (Aug 10)
- Re: Definition of Zero Day Protection Stefano Zanero (Aug 11)
- Re: Definition of Zero Day Protection hidsbr (Aug 10)