[REVS] Rules Definition for Anomaly Based Intrusion Detection
From: support@securiteam.com
Date: 01/30/03
- Previous message: support@securiteam.com: "[EXPL] MS-SQL Vulnerability Exploiting Trusted Connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 30 Jan 2003 11:04:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
Rules Definition for Anomaly Based Intrusion Detection
------------------------------------------------------------------------
SUMMARY
The below paper discusses using Snort as an anomaly based IDS, outlining
the utilization of different deployments with listings of advantages and
disadvantages.
DETAILS
Introduction:
Intrusion detection systems (IDS) are one of the fastest growing
technologies within the security space. Unfortunately, many companies find
it hard to put in use due to complexity of deployment and or lack of
information about its possible use. This document should help security
experts, integrators, or end-customers to utilize their IDS system to its
limits or to fit the expectations required by company.
The market is currently filled mostly by rule-based IDS solutions aiming
at detecting already known attacks by analyzing traffic flow and looking
for known signatures. This fact requires such IDS to be under constant
construction updating and modifying attack signatures and requiring paying
considerable financial amount for support.
On the other hand, it is possible to use anomaly based IDS solutions
detecting not just known attacks but also unknown attacks and informing
network engineers about possible network problems or helping them to
troubleshoot them.
There is no clear answer which solution is better as they have their
advantages and disadvantages, but there is a possibility to put the
rule-based IDS solutions in use as if they were anomaly based. This
document describes possible ways of doing that by modifying the
signatures. All the examples and solutions are based upon Snort IDS that
is open-source solution freely available and well established on the
market. Although this solution is open-source there are many companies
offering support or even appliance or turnkey solutions.
ADDITIONAL INFORMATION
The complete article can be found at:
<http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf>
http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf
The information has been provided by Lubomir Nistor.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[UNIX] Hypermail Buffer Overflows"
- Previous message: support@securiteam.com: "[EXPL] MS-SQL Vulnerability Exploiting Trusted Connections"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
