Stateful IDS?

From: Kevin Martin (KMartin@xcaliber.com)
Date: 12/31/01


Date: Mon, 31 Dec 2001 11:22:46 -0600
From: "Kevin Martin" <KMartin@xcaliber.com>
To: <focus-ids@securityfocus.com>

I'm in the middle of evaluating different NIDS and have noticed (specifically on ISS) a lot of http-java messages. Right now I'm monitoring on my Internet access point so my outbound traffic looks to come from a common address (due to NAT). When I evaluate the http-java messages that I'm seeing (and I'm only using this one service as an example...there are others that I see which are as a result of the same behavior) they appear to be java responses from valid websites back to connections that were initiated from internal clients. Now, I'd obviously like to filter these out as valid but don't see a way in the NIDS that I'm evaluating to make them look at this "statefully". Are there any NIDS out there that can do this (basically evaluate the response against an earlier connection from source host/port combination and not report as error)?

Thanks.

Kevin Martin kmartin@xcaliber.com
Stafford Trading Inc. Chief Security Officer
Chicago, IL 60604 TEL +1-312.356.4849
230 S. LaSalle, Ste. 688