[REVS] Rules Definition for Anomaly Based Intrusion Detection

From: support@securiteam.com
Date: 01/30/03

  • Next message: support@securiteam.com: "[UNIX] Hypermail Buffer Overflows" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 30 Jan 2003 11:04:44 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Rules Definition for Anomaly Based Intrusion Detection
    ------------------------------------------------------------------------

    SUMMARY

    The below paper discusses using Snort as an anomaly based IDS, outlining
    the utilization of different deployments with listings of advantages and
    disadvantages.

    DETAILS

    Introduction:
    Intrusion detection systems (IDS) are one of the fastest growing
    technologies within the security space. Unfortunately, many companies find
    it hard to put in use due to complexity of deployment and or lack of
    information about its possible use. This document should help security
    experts, integrators, or end-customers to utilize their IDS system to its
    limits or to fit the expectations required by company.

    The market is currently filled mostly by rule-based IDS solutions aiming
    at detecting already known attacks by analyzing traffic flow and looking
    for known signatures. This fact requires such IDS to be under constant
    construction updating and modifying attack signatures and requiring paying
    considerable financial amount for support.

    On the other hand, it is possible to use anomaly based IDS solutions
    detecting not just known attacks but also unknown attacks and informing
    network engineers about possible network problems or helping them to
    troubleshoot them.

    There is no clear answer which solution is better as they have their
    advantages and disadvantages, but there is a possibility to put the
    rule-based IDS solutions in use as if they were anomaly based. This
    document describes possible ways of doing that by modifying the
    signatures. All the examples and solutions are based upon Snort IDS that
    is open-source solution freely available and well established on the
    market. Although this solution is open-source there are many companies
    offering support or even appliance or turnkey solutions.

    ADDITIONAL INFORMATION

    The complete article can be found at:
     <http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf>
    http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf

    The information has been provided by Lubomir Nistor.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages