IDS mailing list archives
RE: Anomaly Based Network IDS
From: "Drew Copley" <dcopley () eEye com>
Date: Wed, 23 Jun 2004 13:25:39 -0700
-----Original Message----- From: Drew Copley Sent: Tuesday, June 22, 2004 8:35 PM To: 'Wozny, Scott (US - New York)'; focus-ids () securityfocus com; secdistlist () dauncey net Subject: RE: Anomaly Based Network IDS-----Original Message----- From: Wozny, Scott (US - New York) [mailto:swozny () deloitte com] Sent: Tuesday, June 22, 2004 2:32 PM To: Drew Copley; Aaron Jordan; focus-ids () securityfocus com; secdistlist () dauncey net Subject: RE: Anomaly Based Network IDS Semantics aside I find the smoke and mirrors aspect of thistechnologyfascinating. The bottom line is this. The heart ofanomaly based IDSis to tell you that your network traffic patterns (from what you're feeding the device) are noticeably different today than they were yesterday (or an hour ago or 5 minutes ago or whatever). While this is an interesting value proposition it's an addition to, not a replacement for, classical signature based IDS (or IPS if you're brave)that thosein the trenches rely upon every day to tell them who is knocking at their doors and who brought in an infected laptop from home that's raising hell on the intranet. If an exploit is released for a vulnerability that isn't known in the security community(specificallythe signature-based vendors) yet then anomaly based IDS does have a real opportunity to be your first warning that something is amiss.[Noting that the original post was from lancope itself, posing as an actual customer that had "found zero day vulneribilities" -- one of the most absurd and misinformed lines I have heard in a long time... noting and moving on.] There are several chances to "find" zero day. This is not a semantical issue, at all. It is a very critical issue. If people are clutching to smoke and mirrors, they will find themselves in deep water when the ship is sinking. To continue with the analogy. Anyway, you are right, the technology is advancing, here is a more fresh article with a less entertaining and pertinant title: http://www.nwc.securitypipeline.com/howto/showArticle.jhtml?ar ticleId=17602432&pgno=1 Lancope's StealthWatch gets a C+, btw.
<snip> I should note, ordinarily, I would never point out such things. I have not tested out Lancope's StealthWatch, and have no idea of how good or bad it was. Reviews can often be unfair -- they can get a bad build, or they can represent a product far behind what soon to be revealed future fixes will show. They represent a version in a static point in time... often times a version just before this version reviewed or the version a few months after the review will have the bad issues solved. Sometimes, not. But, often so. Such is a secondary benefit of the reviewing process -- major bugs are forced into the spotlight. As, I am sure we all realize, the forged post was made by a single, ambitious but misinformed individual -- as it reeks of. My general comments were not stated with Lancope in mind, at all... whose product I have admittedly not tested. So, just to be fair. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Anomaly Based Network IDS, (continued)
- Re: Anomaly Based Network IDS Aaron Jordan (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 22)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 24)
- RE: Anomaly Based Network IDS Wozny, Scott (US - New York) (Jun 23)
- Re: Anomaly Based Network IDS Ramoni (Jun 24)
- RE: Anomaly Based Network IDS christian graf (Jun 24)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- RE: Anomaly Based Network IDS Drew Copley (Jun 24)
- Re: Anomaly Based Network IDS Drew Simonis (Jun 24)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 25)
- RE: Anomaly Based Network IDS Drew Copley (Jun 25)
- Re: Anomaly Based Network IDS Bharat Bhushan (Jun 25)
- Re: Anomaly Based Network IDS Thiago dos Santos Guzella (Jun 29)
- RE: Anomaly Based Network IDS Bharat Bhushan (Jun 29)