Detection engines use different methodologies to separate legitimate traffic from attacks. Signature-based detection catches known threats, while anomaly and policy-based methods attempt to catch novel or unauthorized behavior.
This method compares traffic against a database of known exploit patterns (signatures). It is highly accurate for known threats with near-zero false positives, but completely blind to zero-day exploits.
💡 Pro-tip: Signature updates must be automated and continuous. A signature database that is 24 hours old leaves you vulnerable to the latest ransomware campaigns.
PulledPork automates the download and integration of the latest community and subscriber signatures into the Snort engine.
Anomaly detection establishes a baseline of 'normal' traffic and alerts on deviations (e.g., a massive spike in outbound DNS). Policy-based detection simply triggers alerts when specific organizational rules are violated (e.g., P2P traffic detected).
⚠️ Anomaly-based detection is notorious for generating high false-positive rates during legitimate business events, like a sudden marketing campaign driving massive web traffic.
| Method | Strength | Weakness |
|---|---|---|
| Signature | Low false positives | Blind to zero-days |
| Anomaly | Catches novel threats | High false positives |
| Policy | Enforces compliance | Rigid / Inflexible |
Verify exercises to earn ★ 170 XP and unlock next lab level.