Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: IPS comparison
From: Frank Knobbe (frankknobbe.us)
Date: Sat Sep 03 2005 - 01:58:56 CDT
On Tue, 2005-08-30 at 18:02 -0400, Adam Powers wrote:
> This is why most of today's *successful* anomaly detection technologies
> incorporate a learning or "behavioral" component that overcomes this kind of
> problem. Take StealthWatch for instance. When a new DNS server comes online,
> StealthWatch looks at the flows being generated by the server, figures out
> what the server is and how it's behaving, then applies the appropriate
> algorithms given the contextual awareness of the server's learned behaviors.
> In a nutshell:
> 1. New host detected.
> 2. Let's watch it for a bit and figure out what it's up to.
> 3. Now that we know what the machine is and does, apply the proper anomaly
> detection techniques to the traffic generated by the host.
uhm... then I would rather not use Stealthwatch. If a new host comes
online, I'd like to receive an alert on that. Also, letting the IDS
guess what is normal may be suboptimal. For instance, if a host is
hacked and starts an FTP server on a new IP address the hacker assigns
(new host), the IDS will watch the FTP traffic of the pubstro and then
consider it normal. Except that it isn't :)
So having an IDS accept a new host and consider it's traffic normal
without any sort of alerts of user intervention can hardly be considered
a "successful" IDS.
Ciscogate: Shame on Cisco. Double-Shame on ISS.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
-----END PGP SIGNATURE-----