IDS mailing list archives
Re: IDS vs Application Proxy Firewal
From: Damiano Bolzoni <damiano.bolzoni () utwente nl>
Date: Sat, 25 Oct 2008 11:29:27 +0200
alfredhuger () winterhope com wrote:
Hopefully the open source community will dig in and fix this for everyone else so they can profit on it.
Alfred, anomaly-based IDSs (let's consider the whole family, not just WAFs) have been studied for a decade now and, apart for few isolated attempts, I haven't seen any significant result neither from the open-source community nor from commercial vendors. Most vendors claim anomaly-detection features for their products because they monitor behaviours within the network (mainly related to number of connections per time frame etc.). Open-source tools such as Psyche can do the same. Those approaches have been refined and work well enough to be incorporated in commercial products, but definitely miss a lot of bad things out there. To detect attacks at payload-level (e.g., buffer overflow or SQL Injection attacks), which are the nasty ones, you need to research a lot before having something that works. I believe that those who make good research on this topic are not going to release any stable version of their POC tools, simply because they do not have time/interest to develop something as complex as Snort (because that's the quality standard nowadays). During BH 2008 in Las Vegas, I attended the presentation of Breach about ModProfiler, the supposed-to-be most significant attempt to bring anomaly detection inside a mature software (and a quite famous one). Well, if you had time, read this academic paper http://www.cs.ucsb.edu/~vigna/publications/2005_kruegel_vigna_robertson_CN05.pdf and you will find some similarities (btw, I asked to Ivan Ristic in person about this and I couldn't "dig" too much out). It took 3 years to have the open-source implementation of something that fails in many circumstances (and I heard that from the mouth of one of the original author of the paper :) ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS vs Application Proxy Firewal alfredhuger () winterhope com (Oct 24)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 27)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 27)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Ashish Kamra (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- RE: IDS vs Application Proxy Firewal Kamra, Ashish (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 27)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 27)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 28)
- Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 28)