IDS mailing list archives
Re: Definition of Zero Day Protection
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 11 Aug 2004 17:43:03 -0400
I think this is a question of determinism versus nondeterminism in intrusion detection systems. The anticipated (hoped for?) implication by the offending marketing group of a system that offers "Zero Day Protection" is that the system is somehow nondeterministic in how it goes about detecting attacks on the network and can therefore protect you from things that nobody knows about. People who know how IDSes work know that this is a load of BS, but you can't keep a good marketing person down.
The reality of zero day protection as it stands today revolves primarily around protocol anomaly detection and rate-based thresholding. If the value of the foobar field in some protocol is larger than some expected norm then we can predict that there's a problem/anomaly/attack in progress and we can alert/prevent said attack. We know that this is deterministic in effect, just that it's hard coded into the protocol analysis module (i.e. a hard coded "signature"). The concept of an IDS is simple, we tell it what to look for and it tells us when it sees it, but the process of telling it what to look for has determinism implicit in the actual code that gets put into the system if things are being hardcoded or into its "signatures" in a language based system.
Here's a pretty good example. We had rules available for Sasser about two weeks before Sasser actually hit the net. How did we do it? We wrote Snort rules that (statefully) analyzed the DCERPC protocol and were capable of detecting the exploitation of the vulnerability. In effect, we had "zero day protection" for everyone that was up to date on their Snort rules from Sasser. So it is possible to have "zero day protection" but it's still from a set of things that you can imagine ahead of time and let your security infrastructure know about. Truly unknown attacks will waltz right by everything, which is why defense in depth and monitoring are still important.
-Marty On Aug 8, 2004, at 9:47 PM, Teicher, Mark (Mark) wrote:
What is Zero Day Protection, I think I understand the definition of Zero Day Exploits. But what is Zero Day Protection? Another marketing blurbor it can vendors actually offer zero day protection? Thank you for clarifying my confusion /m----------------------------------------------------------------------- ---Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from COREIMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ----------------------------------------------------------------------- ---
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- RE: Definition of Zero Day Protection Rob Shein (Aug 09)
- Re: Definition of Zero Day Protection Joel Snyder (Aug 09)
- Re: Definition of Zero Day Protection Frank Knobbe (Aug 10)
- Re: Definition of Zero Day Protection Ali-Reza Anghaie (Aug 10)
- Re: Definition of Zero Day Protection Stefano Zanero (Aug 10)
- Re: Definition of Zero Day Protection Ali-Reza Anghaie (Aug 11)
- Re: Definition of Zero Day Protection David Maynor (Aug 11)
- Re: Definition of Zero Day Protection Stephen P. Berry (Aug 13)
- Re: Definition of Zero Day Protection Stefano Zanero (Aug 10)
- Re: Definition of Zero Day Protection Martin Roesch (Aug 11)
- <Possible follow-ups>
- RE: Definition of Zero Day Protection Carey, Steve T GARRISON (Aug 09)
- RE: Definition of Zero Day Protection Carey, Steve T GARRISON (Aug 09)
- Re: Definition of Zero Day Protection Drew Simonis (Aug 09)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- RE: Definition of Zero Day Protection Michal Zalewski (Aug 10)
- Re: Definition of Zero Day Protection Ranjeet Shetye (Aug 10)
- RE: Definition of Zero Day Protection Teicher, Mark (Mark) (Aug 09)
- Re: Definition of Zero Day Protection Andy Cuff (Aug 11)
- RE: Definition of Zero Day Protection Drew Copley (Aug 09)
- Re: Definition of Zero Day Protection Devdas Bhagat (Aug 13)
(Thread continues...)