Re: IPS comparison

[Sanjay Rawat <sanjayr () intoto com>]

Hi Stefano:
I got confused over one comment made by you: "First hint of the day: if 
there is a regexp there, it's NOT anomaly
detection." why it is so? I can use association or frequent episode rules 
to capture normal behavior (you know this), and I can use regexp to 
represent such rules. in this case, it is anomaly based detection with 
regexp. Am I missing something?

Regards
Sanjay

At 03:36 AM 8/30/2005, Stefano Zanero wrote:
> Joey Peloquin wrote:
>
> > I'm evaluating TippingPoint's device right now, and that's not entirely
> > true.  The only *static* signatures used are the AV, Spyware, IM, and
> > P2P filters.  Everything else is anomaly-based, through the use of
> > regex,
>
> First hint of the day: if there is a regexp there, it's NOT anomaly
> detection.
>
> > and the vulnerabilities themselves.
>
> Second hint of the day: if the "description of vulnerabilities" is in
> there somewhere, that means "misuse based" detection. Anomaly based
> detection happens when you have a model of what is good, and declare
> what is not good to be bad.
>
> > This is why TP claims the
> > ability to stop so-called 0-day attacks.
>
> They can also claim the throne of the kingdom of Hackerhood, but
> nevertheless, this is nothing of the kind.
>
> > In fact all vendors who claim the ability to stop 0-day attacks do so
> > because they are supposed to be filtering on the vulnerability
>
> And then they are just deluding their customers.
>
> > of these devices is the fact that they do "deep packet inspection",
> > rather than a protcol decode and "best guess" based on irregularities in
> > the way it's supposed to function.
>
> That's called "protocol anomaly detection", and you can find rants about
> it by googling...
>
> Best,
> Stefano Zanero
> ---------------------------
> Secure Network S.r.l.
> www.securenetwork.it
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------

Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------