IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS thoughts

From: Thomas H.Ptacek <tqbf () pobox com>
Date: Tue, 20 May 2003 14:46:56 -0400
space.  Sit down and stare at several captures of HTTP transactions.
Ones from IE, Netscape, Konq, Opera....  They all look different and
this is where theory diverges from implementation. An anomaly in one is 
perfectly normal in the other.  It gets worse, the transactions start
You're making the assumption that "anomaly detection" means "protocol anomaly detection" (looking for protocol-specific weirdness). The impression I get is that most "protocol anomaly detection" is in fact largely rule-based.
"Anomaly detection", in the IDS context, means "detecting threats by observing things that deviate from a norm". Many types of anomaly detection systems do not use RFC-style rules as a "norm" to validate against. 

---
Thomas H. Ptacek // Product Manager @ Arbor Networks
(734) 821-1432


-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: