IDS mailing list archives
Re: IDS vs Application Proxy Firewal
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Tue, 28 Oct 2008 15:44:52 -0700
To Stephano's response, I would like to add that I think I completely mis-used the terms blacklist vs. whitelist when discussing anomaly detection (and I mix anomaly and mis-use case). I have not kept up with IDS and clearly need to go read more recent work to bring myself up to speed with the terms and concepts. So when you read my post asserting anomaly detection validity, understand I am lumping in mis-use case and ignore my attempts to align it with black & white verbiage. As Ptacek would say: "I'm so 1999". -ae On Mon, Oct 27, 2008 at 8:21 PM, Omar Herrera <oherrera () prodigy net mx> wrote:
Hi Arian, Arian J. Evans escribió:Omar -- you have a very nice, well-thought-out, post below. Yet, philosophically, I could not agree with you less. BAD (behavioral anomaly detection) can be approached as either a blacklist or a whitelist. Though, to be fair, the cases for whitelisting in BAD fashion are fewer, and since in BAD you are talking statistical inference or deduction, there is a fuzzy, slippery slope between "black" and "white" listing.True, my examples were only assuming bad detection, but white listing through automatic software has its flaws. You are not guaranteed to get a complete white list with an automatic tool because it can only take into account what it sees and what it measures. So this activity is time dependent and unless you try to guess if good or bad, you will end up reacting anyway. White lists should have human intervention to include as much context information to be effective, in my opinion.
-- -- Arian J. Evans. Software. Security. Stuff. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS vs Application Proxy Firewal, (continued)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 28)
- Re: IDS vs Application Proxy Firewal Ashish Kamra (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- RE: IDS vs Application Proxy Firewal Kamra, Ashish (Oct 29)
- Re: IDS vs Application Proxy Firewal Stefano Zanero (Oct 29)
- Re: IDS vs Application Proxy Firewal Damiano Bolzoni (Oct 28)
- Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 28)
- Re: IDS vs Application Proxy Firewal Omar Herrera (Oct 28)
- Re: IDS vs Application Proxy Firewal Arian J. Evans (Oct 29)