Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS Evaluation

from [Stefano Zanero] Network Security [Permanent Link]
Subject: Re: IDS Evaluation
Date: Fri, 07 Jan 2005 15:58:44 +0100
naga raj peddisetty wrote:

Hello, I am evaluating IDS products based on some important
characterstics and challenges. 

It's not an easy task :)

In this process I have to evaluate
Cisco, NFR, Intruder Alert,SecureNet,Netscreen IDP and Trip wire for
the ZERO-DAY attack measurement.


This is even LESS easy.

1)So, Could you please suggest me
the what best measurements comes for Zero-day attack.

It's very simple in theory. You pick up a new vulnerability, for which an exploit exists and for which a specific signature has not yet been written, and you see if your IDS is able to catch it up.

Hint: misuse based IDSs will, mostly, fail.

Hint - upper layer: your test is a bit strange, how would you compare host based and network based technologies in the same pot ?

2). How
frequent an IDS products must be updated inorder to protect against
zero-day attacks?

Definition: a zero-day is an exploit which is not publicly available through full disclosure channels, and most of the times is a new exploit for a new vulnerability; sometimes (but more rarely) a new exploit for a known vulnerability is also called a zero day.

Corollary: in the FIRST case, no matter how often you update your misuse based IDS, it will be mostly useless.
In the SECOND case, if a good signature was written for the VULNERABILITY (i.e. there is a "focal point" of the attack which cannot be bypassed) then the new EXPLOIT will be also caught, otherwise it will not.

3) what are the other measures to look for in
products for protection against zero-day attacks?

Being anomaly-based as opposed to misuse-based. Tripwire is the only anomaly based IDS you have cited. AFAIK the others listed have only basic anomaly detection features (protocol anomaly detection, mainly).

Regards,
Stefano Zanero
Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione
www.elet.polimi.it/upload/zanero

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • IDS Evaluation, naga raj peddisetty
    • Re: IDS Evaluation, Stefano Zanero <=
Previous by Date:  RE: IDS CISCO alarm, Arndt . WA
Next by Date:  Re: Intrushield vs. ISS once more..., Adam Powers
Previous by Thread:  IDS Evaluation, naga raj peddisetty
Next by Thread:  IPS with no IP address?, Jeff McCarthy
Indexes:  [Date] [Thread] [Top] [All Lists]