Re: [PEN-TEST] Recourse Technologies -- info wanted

[Oliver Friedrichs <ofriedrichs () SECURITYFOCUS COM>]

I've come to believe that this is more of a marketing tactic than an actual
fact.  I can believe that this would be true for an IDS with only a few
signatures enabled, or one doing offline processing, but an IDS that is
doing pattern matches on over 700 signatures in realtime, this is
practically infeasible.  Feel free to prove me wrong, but I've heard from
several people, even friends working for competing companies, that claim
their IDS does this, and I don't believe it.  My reasoning is that for me to
believe this there has to be proven facts, rather than marketing hype.  And
I would also want to understand their algorithm for doing this, which I
don't believe any of them have made public.  This is very similar to the
scanner market, where each vendor may have their own method for detecting a
particular vulnerability, the the customer places implicit trust in the
vendor, with very few having any idea what happens under the hood.

I doubt this will change anytime soon though, after-all who would want to
release such a detailed specification of their product, in fear of losing
their perceived advantage.

- Oliver

> -----Original Message-----
> From: Mark Teicher [mailto:mark.teicher () NETWORKICE COM]
> Sent: Tuesday, October 03, 2000 8:43 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] Recourse Technologies -- info wanted
>
>
> I would like to see them prove the following statement: "With
> 100 percent data capture at volumes exceeding 1 Gbps"..
> Since only a few
> IDS vendors are capable of capturing data at volumes of 1 Gbps
>
> /mark
>
>
> At 11:08 PM 10/2/00 -0400, subscribe wrote:
> > ManTrap and ManHunt:
> >
> > coded in C++ and Java...the usual JAVA for the GUI viewing....
> >
> > what else?
> >  >> oh, has 'typical' signatures coded in software, BUT
> also has 'anomaly'
> > based signatures as well...not pure 'anomaly', but it has
> been coded in a
> > way that it attempts to take a known signature, tweak it a bit (for
> > example, slow the packets down, etc.), and treat that as a
> threat as well.
> > In layman's terms, it knows what all IDS know, and a step beyond it
> > attempts to pre-empt new attacks which are based on old ones
> via these
> > anomaly signatures.
> >
> > c.t.
> >
> >
> >
> >
> > > Hello:
> > >
> > > Has anybody dealt with or know about Recourse Technologies
> > > (www.recoursetechnologies.com) and its products?  Any
> info is appreciated.
> > > Thanks,
> > > -andrew