Joey Peloquin wrote: > I'm evaluating TippingPoint's device right now, and that's not entirely > true. The only *static* signatures used are the AV, Spyware, IM, and > P2P filters. Everything else is anomaly-based, through the use of > regex,
First hint of the day: if there is a regexp there, it's NOT anomaly detection. > and the vulnerabilities themselves. Second hint of the day: if the "description of vulnerabilities" is in there somewhere, that means "misuse based" detection. Anomaly based detection happens when you have a model of what is good, and declare what is not good to be bad. > This is why TP claims the > ability to stop so-called 0-day attacks. They can also claim the throne of the kingdom of Hackerhood, but nevertheless, this is nothing of the kind. > In fact all vendors who claim the ability to stop 0-day attacks do so > because they are supposed to be filtering on the vulnerability And then they are just deluding their customers. > of these devices is the fact that they do "deep packet inspection", > rather than a protcol decode and "best guess" based on irregularities in > the way it's supposed to function. That's called "protocol anomaly detection", and you can find rants about it by googling... Best, Stefano Zanero --------------------------- Secure Network S.r.l. www.securenetwork.it ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
