I just got done testing a number of IPS devices using simple publicly
available tools such as metasploit, fragroute, and bot commands. I think
before we start worrying about IPS systems blocking arkane, rare, and even
zero day attacks... they need to start by blocking attacks that have been
out since 1999!
Mike
--On Tuesday, August 30, 2005 12:01 AM +0200 Stefano Zanero
<[EMAIL PROTECTED]> wrote:
Daniel Cid wrote:
This "anomaly" detection will only detect 0-day
exploits for known vulnerabilities.
A zero-day exploit is a curious marketing thing. You suddenly redefine a
difficult problem (catching zero-days) as a rather simpler problem
(create signatures that actually describe the vulnerability, which is
what any signature worth your licensing cost should do).
So, presto!, you can rush up and put out some rather nice marketing
material on it.
Fact is, anomaly detection is so rare that it's almost unexistant in the
commercial products, except for limited forms of "protocol anomaly
detection" and for Arbor's peakflow technology.
Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
