Re: IPS comparison

[Stefano Zanero <s.zanero () securenetwork it>]

Joey Peloquin wrote:

> I'm evaluating TippingPoint's device right now, and that's not entirely
> true.  The only *static* signatures used are the AV, Spyware, IM, and
> P2P filters.  Everything else is anomaly-based, through the use of
> regex,

First hint of the day: if there is a regexp there, it's NOT anomaly
detection.

> and the vulnerabilities themselves.  

Second hint of the day: if the "description of vulnerabilities" is in
there somewhere, that means "misuse based" detection. Anomaly based
detection happens when you have a model of what is good, and declare
what is not good to be bad.

> This is why TP claims the
> ability to stop so-called 0-day attacks.

They can also claim the throne of the kingdom of Hackerhood, but
nevertheless, this is nothing of the kind.

> In fact all vendors who claim the ability to stop 0-day attacks do so
> because they are supposed to be filtering on the vulnerability

And then they are just deluding their customers.

> of these devices is the fact that they do "deep packet inspection",
> rather than a protcol decode and "best guess" based on irregularities in
> the way it's supposed to function.

That's called "protocol anomaly detection", and you can find rants about
it by googling...

Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------