Thomas Ptacek wrote:
What makes you think that information about supposed RFC violations on
your network will be actionable?
This is an extremely good question: is anomaly detection of any sort
trustable enough for intrusion prevention purpose ?
Most people don't find information
about supposed malicious traffic to be genuinely actionable.
Or informative. Unless you have a very specific packet trace and a Tom
Ptacek-like guy to read it :)
I'm not
aware of any evidence, not even anecdotal, of new vulnerabilities being
discovered by anomaly detection systems of any stripe.
Here I disagree with Tom. I'd say that anomaly detection systems are not
widely deployed in the wild, so we have no data on their ability to
strengthen corporate defenses. The only widely tested anomaly detection
tools are statistical, rate-base... in which case I certainly agree with
Tom.
I also agree with Tom that there's still a long road ahead before having
good anomaly detectors. The fact that two people involved in researching
(me) and selling (Tom :-))) anomaly-based technologies are so careful in
what we think our beloved creations can do, should warn you.
This is not technology ready for prime time.
Replacing signature IDS is not one of those things.
Absolutely, what would be the use ?
Best,
Stefano Zanero
Politecnico di Milano - Dip. Elettronica e Informazione
www.elet.polimi.it/upload/zanero
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
