IDS mailing list archives

Re: IPS comparison

From: Stefano Zanero <s.zanero () securenetwork it>
Date: Tue, 30 Aug 2005 00:01:01 +0200

Daniel Cid wrote:

This "anomaly" detection will only detect 0-day
exploits for known vulnerabilities.


A zero-day exploit is a curious marketing thing. You suddenly redefine a
difficult problem (catching zero-days) as a rather simpler problem
(create signatures that actually describe the vulnerability, which is
what any signature worth your licensing cost should do).

So, presto!, you can rush up and put out some rather nice marketing
material on it.

Fact is, anomaly detection is so rare that it's almost unexistant in the
commercial products, except for limited forms of "protocol anomaly
detection" and for Arbor's peakflow technology.

Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: IPS Comparison Stefano Zanero (Aug 27)
- <Possible follow-ups>
- Re: IPS comparison Stefano Zanero (Aug 29)
  - Re: IPS comparison Sanjay Rawat (Aug 30)
    - Re: IPS comparison Stefano Zanero (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 29)
  - Re: IPS comparison Ron Gula (Aug 30)
    - Re: IPS comparison Adam Powers (Aug 31)
  - Re: IPS comparison Mike Poor (Aug 30)
- RE: IPS comparison Joseph Hamm (Aug 30)
  - RE: IPS comparison Seek Knowledge (Aug 31)
- RE: IPS comparison Joseph Hamm (Aug 30)
  - Message not available
    - RE: IPS comparison Ron Gula (Aug 31)