IDS mailing list archives
Re: IDS thoughts
From: Jimi Thompson <jimit () myrealbox com>
Date: Sun, 1 Jun 2003 21:30:29 -0500
<SNIP>I don't think anyone has forgotten anomaly-based detection. Most players are taking a hybrid approach.This is what they say, but beyond marketing hype and some small, limited attempt at portscan detection, there is nothing of the kind in production system. I welcome counter-examples of course !
</SNIP>I recently finished a lengthy stint with a fortune 10 company web site and would agree with you. While we had various vendors in and and evaluated a lot of products, we finally had some in house developers write a custom system based around AI engine to handle heuristic and anomaly detection. It was fairly good at detecting stealthy port scans and initiating appropriate counter-measures. It took us a LONG time (over a year) to get it trained and operating properly. Even then, it still routed a goodly number of things to humans for evaluation.
-- Thanks, Ms. Jimi Thompson, CISSP, Rev."Those who are too smart to engage in politics are punished by being governed by those who are dumber." --Plato
------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME?IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------
Current thread:
- Re: IDS thoughts Stefano Zanero (Jun 02)
- Re: IDS thoughts Stephen P. Berry (Jun 02)
- Re: IDS thoughts Raistlin (Jun 03)
- Re: IDS thoughts Stephen P. Berry (Jun 03)
- Re: IDS thoughts Raistlin (Jun 03)
- <Possible follow-ups>
- Re: IDS thoughts Jimi Thompson (Jun 02)
- Re: IDS thoughts Stephen P. Berry (Jun 02)