IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS Evaluation

From: Stefano Zanero <zanero () elet polimi it>
Date: Fri, 07 Jan 2005 15:58:44 +0100
naga raj peddisetty wrote:


Hello, I am evaluating IDS products based on some important
characterstics and challenges. 

It's not an easy task :)


In this process I have to evaluate
Cisco, NFR, Intruder Alert,SecureNet,Netscreen IDP and Trip wire for
the ZERO-DAY attack measurement.


This is even LESS easy.


1)So, Could you please suggest me
the what best measurements comes for Zero-day attack.
It's very simple in theory. You pick up a new vulnerability, for which an exploit exists and for which a specific signature has not yet been written, and you see if your IDS is able to catch it up. 

Hint: misuse based IDSs will, mostly, fail.
Hint - upper layer: your test is a bit strange, how would you compare host based and network based technologies in the same pot ? 


2). How
frequent an IDS products must be updated inorder to protect against
zero-day attacks?
Definition: a zero-day is an exploit which is not publicly available through full disclosure channels, and most of the times is a new exploit for a new vulnerability; sometimes (but more rarely) a new exploit for a known vulnerability is also called a zero day.
Corollary: in the FIRST case, no matter how often you update your misuse based IDS, it will be mostly useless. In the SECOND case, if a good signature was written for the VULNERABILITY (i.e. there is a "focal point" of the attack which cannot be bypassed) then the new EXPLOIT will be also caught, otherwise it will not. 


3) what are the other measures to look for in
products for protection against zero-day attacks?
Being anomaly-based as opposed to misuse-based. Tripwire is the only anomaly based IDS you have cited. AFAIK the others listed have only basic anomaly detection features (protocol anomaly detection, mainly). 

Regards,
Stefano Zanero
Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione
www.elet.polimi.it/upload/zanero

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: