Hi Stefano:
I got confused over one comment made by you: "First hint of the day: if
there is a regexp there, it's NOT anomaly
detection." why it is so? I can use association or frequent episode rules
to capture normal behavior (you know this), and I can use regexp to
represent such rules. in this case, it is anomaly based detection with
regexp. Am I missing something?
Regards
Sanjay
At 03:36 AM 8/30/2005, Stefano Zanero wrote:
Joey Peloquin wrote:
> I'm evaluating TippingPoint's device right now, and that's not entirely
> true. The only *static* signatures used are the AV, Spyware, IM, and
> P2P filters. Everything else is anomaly-based, through the use of
> regex,
First hint of the day: if there is a regexp there, it's NOT anomaly
detection.
> and the vulnerabilities themselves.
Second hint of the day: if the "description of vulnerabilities" is in
there somewhere, that means "misuse based" detection. Anomaly based
detection happens when you have a model of what is good, and declare
what is not good to be bad.
> This is why TP claims the
> ability to stop so-called 0-day attacks.
They can also claim the throne of the kingdom of Hackerhood, but
nevertheless, this is nothing of the kind.
> In fact all vendors who claim the ability to stop 0-day attacks do so
> because they are supposed to be filtering on the vulnerability
And then they are just deluding their customers.
> of these devices is the fact that they do "deep packet inspection",
> rather than a protcol decode and "best guess" based on irregularities in
> the way it's supposed to function.
That's called "protocol anomaly detection", and you can find rants about
it by googling...
Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
