IDS mailing list archives
Re: IPS comparison
From: Adam Powers <apowers () lancope com>
Date: Tue, 06 Sep 2005 11:58:52 +0100
We gotcha covered Frank. You get an alert by default (that is, a visual queue in the UI). If you want an alarm for new hosts, have at it. It's a simple change to the default zone policy config. On 9/3/05 7:58 AM, "Frank Knobbe" <frank () knobbe us> wrote:
On Tue, 2005-08-30 at 18:02 -0400, Adam Powers wrote:This is why most of today's *successful* anomaly detection technologies incorporate a learning or "behavioral" component that overcomes this kind of problem. Take StealthWatch for instance. When a new DNS server comes online, StealthWatch looks at the flows being generated by the server, figures out what the server is and how it's behaving, then applies the appropriate algorithms given the contextual awareness of the server's learned behaviors. In a nutshell: 1. New host detected. 2. Let's watch it for a bit and figure out what it's up to. 3. Now that we know what the machine is and does, apply the proper anomaly detection techniques to the traffic generated by the host.uhm... then I would rather not use Stealthwatch. If a new host comes online, I'd like to receive an alert on that. Also, letting the IDS guess what is normal may be suboptimal. For instance, if a host is hacked and starts an FTP server on a new IP address the hacker assigns (new host), the IDS will watch the FTP traffic of the pubstro and then consider it normal. Except that it isn't :) So having an IDS accept a new host and consider it's traffic normal without any sort of alerts of user intervention can hardly be considered a "successful" IDS. Regards, Frank
-- Adam Powers Director of Technology Lancope, Inc. c. 678.725.1028 e. apowers () lancope com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- IPS comparison Rubayat . Zahir (Sep 01)
- <Possible follow-ups>
- RE: IPS comparison Joseph Hamm (Sep 02)
- RE: IPS comparison James Williams (Sep 02)
- RE: IPS comparison Zahir, Rubayat (Sep 02)
- Re: IPS comparison Frank Knobbe (Sep 05)
- Re: IPS comparison Adam Powers (Sep 07)
- Re: IPS comparison Sanjay Rawat (Sep 08)
- Re: IPS comparison Frank Knobbe (Sep 09)
- Re: IPS comparison Sanjay Rawat (Sep 12)
- MIT Darpa Dataset, Wilmar SULAIMAN (Sep 19)
- Re: MIT Darpa Dataset, Sanjay Rawat (Sep 21)
- RE: IPS comparison Seek Knowledge (Sep 07)
- RE: IPS comparison Frank Knobbe (Sep 08)