IDS mailing list archives
Re: IDS thoughts
From: Thomas H.Ptacek <tqbf () pobox com>
Date: Tue, 20 May 2003 14:46:56 -0400
space. Sit down and stare at several captures of HTTP transactions. Ones from IE, Netscape, Konq, Opera.... They all look different andthis is where theory diverges from implementation. An anomaly in one isperfectly normal in the other. It gets worse, the transactions start
You're making the assumption that "anomaly detection" means "protocol anomaly detection" (looking for protocol-specific weirdness). The impression I get is that most "protocol anomaly detection" is in fact largely rule-based.
"Anomaly detection", in the IDS context, means "detecting threats by observing things that deviate from a norm". Many types of anomaly detection systems do not use RFC-style rules as a "norm" to validate against.
--- Thomas H. Ptacek // Product Manager @ Arbor Networks (734) 821-1432 ------------------------------------------------------------------------------- INTRUSION PREVENTION: READY FOR PRIME TIME?IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------
Current thread:
- IDS thoughts Randy Taylor (May 13)
- Re: IDS thoughts Stephen P. Berry (May 14)
- Re: IDS thoughts Stefano Zanero (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Thomas H . Ptacek (May 20)
- Re: IDS thoughts Ramani Yellapragada (May 20)
- Re: IDS thoughts Lance Spitzner (May 21)
- Re: IDS thoughts Stefano Zanero (May 27)
- Re: IDS thoughts Bill Royds (May 21)
- Re: IDS thoughts Mike Frantzen (May 20)
- Re: IDS thoughts Roger A. Grimes (May 21)
- Re: IDS thoughts Raistlin (May 27)
- Random IDS Thoughts [WAS: Re: IDS thoughts] Greg Shipley (May 29)
- Message not available
- Re: Random IDS Thoughts [WAS: Re: IDS thoughts] SecurIT Informatique Inc. (May 30)