Re: IPS comparison

[Sanjay Rawat <sanjayr () intoto com>]

> Hi Frank:

the points which you raised are correct, but this is the underline 
assumption that you have CLEAN attack-free data to train your anomaly IDS. 
in the example, which you put, you need to ensure that your new host is not 
compromised. Also, from time to time, you need to update the learning by 
putting your  IDS in learning/training mode. In fact, such things are main 
barriers in deploying anomaly based IDS.

regards
Sanjay


> uhm... then I would rather not use Stealthwatch. If a new host comes
> online, I'd like to receive an alert on that. Also, letting the IDS
> guess what is normal may be suboptimal. For instance, if a host is
> hacked and starts an FTP server on a new IP address the hacker assigns
> (new host), the IDS will watch the FTP traffic of the pubstro and then
> consider it normal. Except that it isn't :)
>
> So having an IDS accept a new host and consider it's traffic normal
> without any sort of alerts of user intervention can hardly be considered
> a "successful" IDS.
>
> Regards,
> Frank
>
>
> --
> Ciscogate: Shame on Cisco. Double-Shame on ISS.

Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------