IDS mailing list archives
Re: IDS Evaluation
From: Stefano Zanero <zanero () elet polimi it>
Date: Fri, 07 Jan 2005 15:58:44 +0100
naga raj peddisetty wrote:
Hello, I am evaluating IDS products based on some importantcharacterstics and challenges.
It's not an easy task :)
In this process I have to evaluate Cisco, NFR, Intruder Alert,SecureNet,Netscreen IDP and Trip wire for the ZERO-DAY attack measurement.
This is even LESS easy.
1)So, Could you please suggest methe what best measurements comes for Zero-day attack.
It's very simple in theory. You pick up a new vulnerability, for which an exploit exists and for which a specific signature has not yet been written, and you see if your IDS is able to catch it up.
Hint: misuse based IDSs will, mostly, fail.Hint - upper layer: your test is a bit strange, how would you compare host based and network based technologies in the same pot ?
2). How frequent an IDS products must be updated inorder to protect againstzero-day attacks?
Definition: a zero-day is an exploit which is not publicly available through full disclosure channels, and most of the times is a new exploit for a new vulnerability; sometimes (but more rarely) a new exploit for a known vulnerability is also called a zero day.
Corollary: in the FIRST case, no matter how often you update your misuse based IDS, it will be mostly useless. In the SECOND case, if a good signature was written for the VULNERABILITY (i.e. there is a "focal point" of the attack which cannot be bypassed) then the new EXPLOIT will be also caught, otherwise it will not.
3) what are the other measures to look for in products for protection against zero-day attacks?
Being anomaly-based as opposed to misuse-based. Tripwire is the only anomaly based IDS you have cited. AFAIK the others listed have only basic anomaly detection features (protocol anomaly detection, mainly).
Regards, Stefano Zanero Ph.D. Student Politecnico di Milano - Dip. Elettronica e Informazione www.elet.polimi.it/upload/zanero -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- IDS Evaluation naga raj peddisetty (Jan 06)
- Re: IDS Evaluation Stefano Zanero (Jan 08)