Joey Peloquin wrote:
I'm evaluating TippingPoint's device right now, and that's not entirely
true. The only *static* signatures used are the AV, Spyware, IM, and
P2P filters. Everything else is anomaly-based, through the use of
regex,
First hint of the day: if there is a regexp there, it's NOT anomaly
detection.
and the vulnerabilities themselves.
Second hint of the day: if the "description of vulnerabilities" is in
there somewhere, that means "misuse based" detection. Anomaly based
detection happens when you have a model of what is good, and declare
what is not good to be bad.
This is why TP claims the
ability to stop so-called 0-day attacks.
They can also claim the throne of the kingdom of Hackerhood, but
nevertheless, this is nothing of the kind.
In fact all vendors who claim the ability to stop 0-day attacks do so
because they are supposed to be filtering on the vulnerability
And then they are just deluding their customers.
of these devices is the fact that they do "deep packet inspection",
rather than a protcol decode and "best guess" based on irregularities in
the way it's supposed to function.
That's called "protocol anomaly detection", and you can find rants about
it by googling...
Best,
Stefano Zanero
---------------------------
Secure Network S.r.l.
www.securenetwork.it
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
