IDS mailing list archives

Re: IDS vs Application Proxy Firewal

From: Damiano Bolzoni <damiano.bolzoni () utwente nl>
Date: Sat, 25 Oct 2008 11:29:27 +0200

alfredhuger () winterhope com wrote:

Hopefully the open
source community will dig in and fix this for everyone else so they
can profit on it.


Alfred,
anomaly-based IDSs (let's consider the whole family, not just WAFs) have
been studied for a decade now and, apart for few isolated attempts, I
haven't seen any significant result neither from the open-source
community nor from commercial vendors.
Most vendors claim anomaly-detection features for their products because
they monitor behaviours within the network (mainly related to number of
connections per time frame etc.). Open-source tools such as Psyche can
do the same. Those approaches have been refined and work well enough to
be incorporated in commercial products, but definitely miss a lot of bad
things out there.
To detect attacks at payload-level (e.g., buffer overflow or SQL
Injection attacks), which are the nasty ones, you need to research a lot
before having something that works. I believe that those who make good
research on this topic are not going to release any stable version of
their POC tools, simply because they do not have time/interest to
develop something as complex as Snort (because that's the quality
standard nowadays).
During BH 2008 in Las Vegas, I attended the presentation of Breach about
ModProfiler, the supposed-to-be most significant attempt to bring
anomaly detection inside a mature software (and a quite famous one).
Well, if you had time, read this academic paper
http://www.cs.ucsb.edu/~vigna/publications/2005_kruegel_vigna_robertson_CN05.pdf
and you will find some similarities (btw, I asked to Ivan Ristic in
person about this and I couldn't "dig" too much out).
It took 3 years to have the open-source implementation of something that
fails in many circumstances (and I heard that from the mouth of one of
the original author of the paper :)

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: IDS vs Application Proxy Firewal alfredhuger () winterhope com (Oct 24)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 27)
  - Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 27)
    - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
    - Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
    - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
    - Re: IDS vs Application Proxy Firewal Ashish Kamra (Oct 29)
    - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
    - RE: IDS vs Application Proxy Firewal Kamra, Ashish (Oct 29)
    - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
    - Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 28)
    - Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 28)

(Thread continues...)