IDS mailing list archives
RE: IPS comparison
From: "Joseph Hamm" <jhamm () lancope com>
Date: Tue, 30 Aug 2005 17:15:52 -0400
- I agree that "anomaly detection" != "zero day" detection. Just
because
my DNS server starts to connect to all the other hosts on my
network,
doesn't mean it has got a worm on it.
It might if your DNS server doesn't normally do this. Consider a network anomaly detection system that profiled your network and created unique usage/behavioral profiles for each host (including Ron's DNS server). You've told the box how your internal address space is defined so now the box also knows your network's "dark" or unused address space. (Defined internal address space) - (active hosts seen) = Unused or "Dark" IP space Now consider that your DNS server gets infected with a new worm and starts scanning nearby hosts. A smart NADS (network anomaly detection system) will be able to quickly determine that this host is scanning your dark address space (honeynet concept). Any activity being directed at this unused space can be assumed to be suspect. Also, consider the port being used. If this is not a port that the DNS server normally uses, then that would be suspect as well. Not to mention all of the tcp resets or icmp port unreachables (in the case of UDP) that the DNS server will receive as it scans across your network. Check out the whitepapers published by NADS vendors that outline cases where new "zero-day" worms were detected before signatures became available. I agree that marketing departments squeeze all they can out of zero-day, but I can at least vouch that our SteatlhWatch products detected Zotob (and its variants) without the need for any signature updates. This means customers had early detection before signatures were available. I'm sure there are some other vendors out there that can report the same. Even signature based solutions can tout this if they write sigs for the vulnerability as opposed to the exploit. Joe Joe Hamm, CISSP Senior Security Engineer Lancope, Inc. jhamm () lancope com 404.644.7227 (cell) 770.225.6509 (fax) Lancope - Security through Network Intelligence(tm) StealthWatch(tm) by Lancope, a next-generation network security solution, delivers behavior-based intrusion detection, policy enforcement and insightful network analysis. Visit www.lancope.com. -----Original Message----- From: Ron Gula [mailto:rgula () tenablesecurity com] Sent: Monday, August 29, 2005 8:56 PM To: Focus-Ids Mailing List Subject: Re: IPS comparison At 06:01 PM 8/29/2005, Stefano Zanero wrote:
Daniel Cid wrote:This "anomaly" detection will only detect 0-day exploits for known vulnerabilities.A zero-day exploit is a curious marketing thing. You suddenly redefine a difficult problem (catching zero-days) as a rather simpler problem (create signatures that actually describe the vulnerability, which is what any signature worth your licensing cost should do). So, presto!, you can rush up and put out some rather nice marketing material on it. Fact is, anomaly detection is so rare that it's almost unexistant in the commercial products, except for limited forms of "protocol anomaly detection" and for Arbor's peakflow technology.
Two comments here. - lot's of NIDS that tend to code for a vulnerability, don't actually code for the vulnerability. They are still writing attack signatures. The attack signatures are smarter than what was standard about five years ago, but I've yet to really see a NIDS come out of the box with full vuln/IDS correlation. - I agree that "anomaly detection" != "zero day" detection. Just because my DNS server starts to connect to all the other hosts on my network, doesn't mean it has got a worm on it. Ron Gula, CTO Tenable Network Security ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IPS Comparison Stefano Zanero (Aug 27)
- <Possible follow-ups>
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 30)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Ron Gula (Aug 30)
- Re: IPS comparison Adam Powers (Aug 31)
- Re: IPS comparison Mike Poor (Aug 30)
- Re: IPS comparison Ron Gula (Aug 30)
- RE: IPS comparison Joseph Hamm (Aug 30)
- RE: IPS comparison Seek Knowledge (Aug 31)
- RE: IPS comparison Joseph Hamm (Aug 30)
- Message not available
- RE: IPS comparison Ron Gula (Aug 31)
- Message not available