[REVS] Rules Definition for Anomaly Based Intrusion Detection

From: support@securiteam.com
Date: 01/30/03

  • Next message: support@securiteam.com: "[UNIX] Hypermail Buffer Overflows"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 30 Jan 2003 11:04:44 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Rules Definition for Anomaly Based Intrusion Detection
    ------------------------------------------------------------------------

    SUMMARY

    The below paper discusses using Snort as an anomaly based IDS, outlining
    the utilization of different deployments with listings of advantages and
    disadvantages.

    DETAILS

    Introduction:
    Intrusion detection systems (IDS) are one of the fastest growing
    technologies within the security space. Unfortunately, many companies find
    it hard to put in use due to complexity of deployment and or lack of
    information about its possible use. This document should help security
    experts, integrators, or end-customers to utilize their IDS system to its
    limits or to fit the expectations required by company.

    The market is currently filled mostly by rule-based IDS solutions aiming
    at detecting already known attacks by analyzing traffic flow and looking
    for known signatures. This fact requires such IDS to be under constant
    construction updating and modifying attack signatures and requiring paying
    considerable financial amount for support.

    On the other hand, it is possible to use anomaly based IDS solutions
    detecting not just known attacks but also unknown attacks and informing
    network engineers about possible network problems or helping them to
    troubleshoot them.

    There is no clear answer which solution is better as they have their
    advantages and disadvantages, but there is a possibility to put the
    rule-based IDS solutions in use as if they were anomaly based. This
    document describes possible ways of doing that by modifying the
    signatures. All the examples and solutions are based upon Snort IDS that
    is open-source solution freely available and well established on the
    market. Although this solution is open-source there are many companies
    offering support or even appliance or turnkey solutions.

    ADDITIONAL INFORMATION

    The complete article can be found at:
     <http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf>
    http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf

    The information has been provided by Lubomir Nistor.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



    Relevant Pages

    • RE: Specification-based Anomaly Detection
      ... >>shortcomings of signatures, it has to be considered seriously. ... the significance of zero day attacks is way ... "PhpInclude" and Santy, its predecessor, are application layer attacks. ... first worm to exploit a OWASP top 10 security problem and not a specific ...
      (Focus-IDS)
    • RE: IDS evaluations procedures
      ... I agree that your average client still leans more towards business ... availability than security. ... block traffic then you will be more likely to fall foul of such attacks. ... Subject: IDS evaluations procedures ...
      (Focus-IDS)
    • Re: Changes in IDS Companies?
      ... >>false-positives for these signatures. ... It's the whole point of IDS that people seem ... marketing machines of the security industry. ... other security technology can provide (ie: the ones that actually "secure" you network). ...
      (Focus-IDS)
    • RE: IDS and Spywares
      ... > a network based security control has better visibility than a host based ... Just as we do in IDS and network traffic analysis. ... > made spyware, or trojan, or any other kind of malware where you can install ...
      (Focus-IDS)
    • RE: Recommending an IDS system
      ... Not trying to make this a Cisco commercial, but I too am very satisfied with Cisco. ... We implemented an IDSM2, sensor device, and Cisco Security Agent for Host Intrusion Prevention. ... Subject: Recommending an IDS system ...
      (Security-Basics)