Re: IPS comparison

[Frank Knobbe <frank () knobbe us>]

On Tue, 2005-08-30 at 18:02 -0400, Adam Powers wrote:
> This is why most of today's *successful* anomaly detection technologies
> incorporate a learning or "behavioral" component that overcomes this kind of
> problem. Take StealthWatch for instance. When a new DNS server comes online,
> StealthWatch looks at the flows being generated by the server, figures out
> what the server is and how it's behaving, then applies the appropriate
> algorithms given the contextual awareness of the server's learned behaviors.
>
> In a nutshell:
>
> 1. New host detected.
> 2. Let's watch it for a bit and figure out what it's up to.
> 3. Now that we know what the machine is and does, apply the proper anomaly
> detection techniques to the traffic generated by the host.

uhm... then I would rather not use Stealthwatch. If a new host comes
online, I'd like to receive an alert on that. Also, letting the IDS
guess what is normal may be suboptimal. For instance, if a host is
hacked and starts an FTP server on a new IP address the hacker assigns
(new host), the IDS will watch the FTP traffic of the pubstro and then
consider it normal. Except that it isn't :)

So having an IDS accept a new host and consider it's traffic normal
without any sort of alerts of user intervention can hardly be considered
a "successful" IDS.

Regards,
Frank


-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.

Attachment: signature.asc
Description: This is a digitally signed message part