IDS mailing list archives
Re: IPS comparison
From: Sanjay Rawat <sanjayr () intoto com>
Date: Tue, 30 Aug 2005 09:52:27 +0530
Hi Stefano:I got confused over one comment made by you: "First hint of the day: if there is a regexp there, it's NOT anomaly detection." why it is so? I can use association or frequent episode rules to capture normal behavior (you know this), and I can use regexp to represent such rules. in this case, it is anomaly based detection with regexp. Am I missing something?
Regards Sanjay At 03:36 AM 8/30/2005, Stefano Zanero wrote:
Joey Peloquin wrote: > I'm evaluating TippingPoint's device right now, and that's not entirely > true. The only *static* signatures used are the AV, Spyware, IM, and > P2P filters. Everything else is anomaly-based, through the use of > regex, First hint of the day: if there is a regexp there, it's NOT anomaly detection. > and the vulnerabilities themselves. Second hint of the day: if the "description of vulnerabilities" is in there somewhere, that means "misuse based" detection. Anomaly based detection happens when you have a model of what is good, and declare what is not good to be bad. > This is why TP claims the > ability to stop so-called 0-day attacks. They can also claim the throne of the kingdom of Hackerhood, but nevertheless, this is nothing of the kind. > In fact all vendors who claim the ability to stop 0-day attacks do so > because they are supposed to be filtering on the vulnerability And then they are just deluding their customers. > of these devices is the fact that they do "deep packet inspection", > rather than a protcol decode and "best guess" based on irregularities in > the way it's supposed to function. That's called "protocol anomaly detection", and you can find rants about it by googling... Best, Stefano Zanero --------------------------- Secure Network S.r.l. www.securenetwork.it ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Sanjay Rawat Senior Software Engineer INTOTO Software (India) Private Limited Uma Plaza, Above HSBC Bank, Nagarjuna Hills PunjaGutta,Hyderabad 500082 | India Office: + 91 40 23358927/28 Extn 422 Website : www.intoto.com Homepage: http://sanjay-rawat.tripod.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- Re: IPS Comparison Stefano Zanero (Aug 27)
- <Possible follow-ups>
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 30)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Ron Gula (Aug 30)
- Re: IPS comparison Adam Powers (Aug 31)
- Re: IPS comparison Mike Poor (Aug 30)
- Re: IPS comparison Ron Gula (Aug 30)
- RE: IPS comparison Joseph Hamm (Aug 30)
- RE: IPS comparison Seek Knowledge (Aug 31)
- RE: IPS comparison Joseph Hamm (Aug 30)
- Message not available
- RE: IPS comparison Ron Gula (Aug 31)
- Message not available