The methods discussed in the paper from Packet Storm are interesting. It sounds very similar to the methods used by Securify (see my Securify SecureVantage post).There is no clear answer which solution is better as they have their advantages and disadvantages, but there is a possibility to put the rule-based IDS solutions in use as if they were anomaly based. This document describes possible ways of doing that by modifying the signatures. All the examples and solutions are based upon Snort IDS that is open-source solution freely available and well established on the market. Although this solution is open-source there are many companies offering support or even appliance or turnkey solutions.
MORE
By making up rules that attempt to detect anomalous traffic you can potentially use rules-based IDS to detect threats for which you don't currently have a signature.
Its not fool-proof (aside from disconnecting from the Internet and turning your computer off- what is?) but it is an intriguing paper.
Reply With Quote
