IDS mailing list archives

Re: IDS vs Application Proxy Firewal

From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Tue, 28 Oct 2008 15:44:52 -0700

To Stephano's response, I would like to add
that I think I completely mis-used the terms
blacklist vs. whitelist when discussing anomaly
detection (and I mix anomaly and mis-use case).

I have not kept up with IDS and clearly need
to go read more recent work to bring myself
up to speed with the terms and concepts.

So when you read my post asserting anomaly
detection validity, understand I am lumping in
mis-use case and ignore my attempts to align
it with black & white verbiage.

As Ptacek would say: "I'm so 1999".

-ae

On Mon, Oct 27, 2008 at 8:21 PM, Omar Herrera <oherrera () prodigy net mx> wrote:

Hi Arian,

Arian J. Evans escribió:

Omar -- you have a very nice, well-thought-out,
post below. Yet, philosophically, I could not
agree with you less.

BAD (behavioral anomaly detection) can be approached
as either a blacklist or a whitelist. Though, to be fair,
the cases for whitelisting in BAD fashion are fewer,
and since in BAD you are talking statistical inference
or deduction, there is a fuzzy, slippery slope between
"black" and "white" listing.

True, my examples were only assuming bad detection, but white listing
through automatic software has its flaws. You are not guaranteed to get
a complete white list with an automatic tool because it can only take
into account what it sees and what it measures. So this activity is time
dependent and unless you try to guess if good or bad, you will end up
reacting anyway. White lists should have human intervention to include
as much context information to be effective, in my opinion.




-- 
-- 
Arian J. Evans.
Software. Security. Stuff.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Re: IDS vs Application Proxy Firewal, (continued)
- - - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
    - Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
    - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
    - Re: IDS vs Application Proxy Firewal Ashish Kamra (Oct 29)
    - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
    - RE: IDS vs Application Proxy Firewal Kamra, Ashish (Oct 29)
    - Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
    - Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 28)
    - Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 28)
    - Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
    - Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 29)