At 06:01 PM 8/29/2005, Stefano Zanero wrote:
Daniel Cid wrote:
> This "anomaly" detection will only detect 0-day
> exploits for known vulnerabilities.
A zero-day exploit is a curious marketing thing. You suddenly redefine a
difficult problem (catching zero-days) as a rather simpler problem
(create signatures that actually describe the vulnerability, which is
what any signature worth your licensing cost should do).
So, presto!, you can rush up and put out some rather nice marketing
material on it.
Fact is, anomaly detection is so rare that it's almost unexistant in the
commercial products, except for limited forms of "protocol anomaly
detection" and for Arbor's peakflow technology.
Two comments here.
- lot's of NIDS that tend to code for a vulnerability, don't actually
code for the vulnerability. They are still writing attack signatures.
The attack signatures are smarter than what was standard about five
years ago, but I've yet to really see a NIDS come out of the box
with full vuln/IDS correlation.
- I agree that "anomaly detection" != "zero day" detection. Just because
my DNS server starts to connect to all the other hosts on my network,
doesn't mean it has got a worm on it.
Ron Gula, CTO
Tenable Network Security
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
