Protocol Anomaly Detection IDS

["Michael L. Artz" <dragon () october29 net>]

I am trying to supplement our existing signature based IDS (Snort, gotta 
love open source) with a protocol anomaly based one in a fairly large 
enterprise network.  I am in the fairly early stages of research, so I 
guess that the first question would be, is it worth it?

I hear the anomaly detection buzzword thrown around a lot these days, 
and can't quite get past all the marketing hype.  From what I can tell, 
protocol anomaly detection seems to be the more promising than the 
statistical for detecting new or IDS-cloaked attacks.  However the 
notion of "conforming to RFCs" leaves a lot of leeway for the vendors to 
play with.  How well do these types of systems actually work?

Does anyone have any recommendations as to which systems to look 
into/stay away from?  Below is a list of some of the ones that looked 
like they might support protocol anomaly detection from their marketing 
hype, let me know if I left any out/incorrectly added any:

Lancope Stealthwatch
Tipping Point/UnityOne
ISS RealSecure Guard
Cisco IDS 4250
CA/eTrust IDS
Intruvert Intrushield
NFR Network Intrusion Detection System
Netscreen/Onesecure IDP
Symantec ManHunt

Any clues or headstarts to get me pointed in the right direction would 
be great.

Thanks
-Mike