Several months ago I began research into whether or not IPS is up to the task of web application security. In summary, my initial findings were that IPS could very effectively tackle 
syntax related web application attacks if IPS products could introduce context into alerting. Specifically IPS products would have to create vulnerability based rules by specifying the exact location of where applications are vulnerable. Sourcefire, in partnership with WhiteHat Security Inc., delivers exactly that capability through a technical partnership that integrates Sourcefire's SNORT IPS with WhiteHat's Sentinel vulnerability scanning solution.
Much like the WhiteHat's partnerships with F5, Imperva, and Breach Security (which can be read about here), the integration of Sentinel and Snort technologies allows end-users to correllate highly accurate vulnerability data with protection capabilities. The key is that WhiteHat's vulnerability scan reports typically do not include any false-positives. This allows users to leverage those reports to create traffic blocking IPS rules with a high-level of assurance that those rules will not block legitimate traffic to their web applications. Furthermore, those rules will not produce noisy false-positive alerts within the protection technology. SNORT will drastically benefit from these capabilities as their ability to detect and block web application attacks has clearly not been their main focus area.
These blocking capabilities are further complemented by the Denim Group who, through partnership with WhiteHat, is largely responsible for the integration between Sourcefire's SNORT and WhiteHat Sentinel. The Denim Group leverages Sentinel's open XML Application Programming Interface (API) to deliver additional services offerings and enhanced Source Code Analysis (SCA) integration capabilities. This assists companies in integrating security in multiple levels of an application, particularly in development, assessment, and defense.
Competitive Products
Of course WhiteHat's partnerships with the Denim Group and Sourcefire are not the only efforts to better address web application protection. Other leaders in IPS have also begun to better address web application security. However, it is my belief that as of the time of this post few vendors have as solid of an offering as Sourcefire does when customers are also utilizing WhiteHat Sentinel. IBM ISS probably has the best arguement against my previous statement with their heavy focus on SQL Injection, XSS, and file include attacks, and of course their integrations with IBM Rational (particularly in the AppScan group). However, while ISS does integrate with the AppScan web application vulnerability assessment product in order to enhance their IPS, the IBM Rational standard offeringl does not include manual testing on top of the AppScan product. This service can be purchased, however, unforunately it comes at a premium price to the costumer. The end result is a better possibility for false-negatives and false-positives in the actual scan, thus offering less protection to customers.
TippingPoint also offers some web application protection in their Web Application Digital Vaccine product through parntership with NTO. However, TippingPoint seems focused exclusively on delivering high quality protection against SQL Injection, XSS, and malicious PHP file includes. While this capability is highly beneficial and does cover the most common web application security attacks, it does not offer the myriad of protections that customers could gain by using Sourcefire and WhiteHat products in combination. This may shift as TippingPoint and HP's Application Security Center become more integrated as part of the HP acquisition of 3COM (TippingPoint's parent company).
