Re: Signature vs Anomaly- again (wasRe: IDS Players?)
From: Vitaly Osipov (witt@iol.ie)Date: 06/19/02
- Previous message: Greg Shipley: "RE: IDS Players?"
- In reply to: Greg Shipley: "Re: Signature vs Anomaly- again (wasRe: IDS Players?)"
- Next in thread: Bill Royds: "RE: Signature vs. Anomaly- again (was Re:: IDS Players?)"
- Next in thread: Greg Shipley: "Re: IDS Players?"
- Reply: Bill Royds: "RE: Signature vs. Anomaly- again (was Re:: IDS Players?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Vitaly Osipov" <witt@iol.ie> To: "Greg Shipley" <gshipley@neohapsis.com> Date: Wed, 19 Jun 2002 19:20:35 +0100
----- Original Message -----
From: "Greg Shipley" <gshipley@neohapsis.com>
>
> You might want specify what you mean by "anomaly." Are you talking
> protocol anomaly (i.e. "this HTTP packet looks funny"), traffic anomaly
> (i.e. "Hey, why did our UDP traffic spike to 30%?"), or ....?
Basically anything that is capable of saying that "this behaves in the way
it should not /in a way it did not behave" :) This is more about traffic
patterns anomaly, because protocol anomaly is (at least can be) detected via
some refular rules (there are RFCs in the worst case). I was curious if any
of academic research of last 20 years has resulted in anything usable yet
(there were many approaches - neural nets, statistics-based, finite
automata, *insert your favourite pattern recognition technology here*...). I
understand that this takes significantly more CPU power than
"network-grepping" techniques, but still... The only thing that comes to my
mind is one Snort plugin (SPADE if I am not mistaken - have not used it for
a while)
(I know the following is rather useless topic, so everybody feel free to
disregard the following paragraph :) )
I tend to believe that network grep IDS are not very useful things - I do
not care if somebody tries a *known* exploit against my network (if I know
the network servers/devices are patched) - may be I just do not feel the
need to punish them :). They might be useful in very large networks as a
control tools, helping find out admin's mistakes. If somebody manages to
come up with tools that will find 0-day things, it will be much more useful
at least for me... Do you know which signature proved most useful in days of
Code Red? The one that was matching traffic from xxx.xxx.xxx.xxx:80 for a
string "file(s) copied". The match signalled that server was going to be
compromised even before anybody heard of actual exploit.
> There was a huge thread about this that started here:
> http://archives.neohapsis.com/archives/sf/ids/2002-q1/0234.html
>
> And some of my examples here:
> http://archives.neohapsis.com/archives/sf/ids/2002-q1/0239.html
>
> ...and further discussions on this area are in that thread. It might be
> worth a quick read.
thnx, interestingtopic, and all the famous names are there too :)
Regards,
Vitaly.
- Previous message: Greg Shipley: "RE: IDS Players?"
- In reply to: Greg Shipley: "Re: Signature vs Anomaly- again (wasRe: IDS Players?)"
- Next in thread: Bill Royds: "RE: Signature vs. Anomaly- again (was Re:: IDS Players?)"
- Next in thread: Greg Shipley: "Re: IDS Players?"
- Reply: Bill Royds: "RE: Signature vs. Anomaly- again (was Re:: IDS Players?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
