[Discussion] Why IDS sucks

Thu Oct 16 23:56:54 UTC 2008

Matt, this begs for a wiki or something once you gather enough information.

-I would like to get alerts for L2 stuff (BPDUs, CDP, etc).
-ways to get alerts for fast-flux and other things where current sigs
are prone to FPs

On Thu, Oct 16, 2008 at 3:40 PM, Andre Ludwig <aludwig at packetspy.com> wrote:
> So lets take a look at why IDS in its current form sucks.
>
> 1.  Signature matching has its use but can not be an end all for
> detection of attacks. (easy to bypass, layer 7 hurts,  encryption hurts
> matching, etc)
>       a. Signatures infer that you know what the attack looks like,
> this doesnt help much
>       b. Signatures can change over time, they require lots of
> administrative overhead and testing before, during, and even after use
> 2.  Performance and wire speed is always going to be an issue (as it is
> a safe assumption that it will continue to increase over time), this
> becomes a problem with inline (IPS).
> 3.  Inability of vendors/producers of IDS technology to keep ahead of
> the curve (be it signature awareness, or be it protocol parsers, etc)
> 4.  Anomaly detection based technologies can be effective but on their
> own they tend to be more of a burden then a help.
>
>
>
> And the single largest issue IMHO, is the lack of infrastructure to
> properly correlate and analyze data to produce actionable
> intelligence.   This intelligence can then be piped to various types of
> "technical controls" to be used as part of the overall security
> architecture.   Granted this isn't necessarily a weakness in IDS as much
> as it is a weakness in the approach the industry has taken.
>
> Please feel free to add/expand on these thoughts or introduce other
> thoughts to this discussion.   (this thread is of course in response to
> John ives)
>
> Andre Ludwig
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>