Re: Statistical Anomaly Analysis? "Was [more specific] Signaturevs. Protocol Analysis "
From: Xiaoyong Wu (xwu@anr.mcnc.org)Date: 03/18/02
- Previous message: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- In reply to: Josh Gray: "Re: Statistical Anomaly Analysis? "Was [more specific] Signaturevs. Protocol Analysis ""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Mar 2002 12:05:56 -0500 (EST) From: Xiaoyong Wu <xwu@anr.mcnc.org> To: Josh Gray <grayjr@cerias.purdue.edu>
Comments inline,
On Sat, 16 Mar 2002, Josh Gray wrote:
<snip>
>
> Basically my point is that your IDS is what you make of it. If you're
> tired of seeing the same alerts every day then disable them. If you
> want to catch new attacks play around with the signature set to detect
> more generic things. If you know your network really well then you can
> tune your IDS to look for things that shouldn't be happening.
Even just looking for things that shouldn't be happening, it will also be
a lot of alerts. A simple case is port scanning. You will definitely see a
lot of port scans day after day and that should be the things in your
policy to disallow. I don't believe you should turn those alerts off. You
might notice high volume of SNMP scans before a breakin through it. The
best way to deal with the alerts is for the IDS to group the alerts or
correlate the alerts.
> Actually, they are looking for less events. They are looking for a
> small set of very specific events, such as someone breaking your window
> or kicking your door down. If a home alarm system alerted every time
> someone knocked on your door or called and hung up you would probably be
> overwhelmed (or at least annoyed) with alarms by this system too. I
> know some police/fire departments will stop responding to these alarms
> if they go off to often.
>
That sounds interesting but it seems to be hard to abstract those simple
events for an IDS. You don't have a physical boundary for your network
such that you don't know where it's a breakin point. Intruders don't have
to break down your firewall to penetrate into your network. If you
consider a compromise of any of the system to be the breakin, it might be
already too late. Perhaps, if you knock the door loud enough, it will
trigger the home security systems. I don't have any experience with those
systems and would really interesting to see if I know how it works, how
hard it is to pass around it. Hopefully there's no security through
obscurity.
-Xiaoyong
-----------------------------------
Network Research Engineer, 919.248.1469
Advanced Network Research Group,MCNC xwu@anr.mcnc.org
- Previous message: John S Flowers: "Re: Statistical Anomaly Analysis? (was: a bunch of things)"
- In reply to: Josh Gray: "Re: Statistical Anomaly Analysis? "Was [more specific] Signaturevs. Protocol Analysis ""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
