Re: IDS thoughts

[Jimi Thompson <jimit () myrealbox com>]

> <SNIP>
>
> >  I don't think anyone has forgotten anomaly-based detection.  Most
> >  players are taking a hybrid approach.
>
> This is what they say, but beyond marketing hype and some small, limited
> attempt at portscan detection, there is nothing of the kind in production
> system. I welcome counter-examples of course !
</SNIP>

I recently finished a lengthy stint with a fortune 10 company web 
site and would agree with you.  While we had various vendors in and 
and evaluated a lot of products, we finally had some in house 
developers write a custom system based around AI engine to handle 
heuristic and anomaly detection.  It was fairly good at detecting 
stealthy port scans and initiating appropriate counter-measures.  It 
took us a LONG time (over a year) to get it trained and operating 
properly.  Even then, it still routed a goodly number of things to 
humans for evaluation.
--
Thanks,

Ms. Jimi Thompson, CISSP, Rev.

"Those who are too smart to engage in politics are punished by being 
governed by those who are dumber." --Plato




-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------