Re: new on IDSs (Context-awareness in IDSes)
From: Umesh Shankar (ushankar@cs.berkeley.edu)
Date: 01/28/03
- Previous message: Jordan K Wiens: "Re: NetScreen IDS (X-post)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Umesh Shankar <ushankar@cs.berkeley.edu> To: focus-ids@securityfocus.com Date: 27 Jan 2003 16:00:26 -0800
Hello all,
I'm at student at UC Berkeley (my advisor is David Wagner). Vern Paxson
and I have done work on gathering and using network- and host-specific
information to disambiguate traffic, which we call "Active Mapping".
This lets us perform a more precise analysis. We have a paper coming up
at the IEEE Security (Oakland) conference. A not-quite-final version of
it is available at
http://www.cs.berkeley.edu/%7Eushankar/research/active/activemap.pdf
Feel free to contact if you have any questions or would like to try it
out.
Umesh
> Date: Mon, 27 Jan 2003 13:33:42 -0500
> From: "David W. Goodrum" <dgoodrum@nfr.com>
> Subject: Re: new on IDSs
> To: Omar Herrera <oherrera@prodigy.net.mx>
> Cc: focus-ids@securityfocus.com
>
> Actually Omar, NFR's NID engine performs passive OS fingerprinting. So,
> we re-assemble fragments the same way as the destination OS, thus
> avoiding that common problem among most other NIDS technologies.
>
> Omar Herrera wrote:
> > Dear Vladimir,
> >
> > I believe that one of the biggest limitations of NIDS the need for
> > response emulation capabilities. NIDS have to know how a particular O.S.
> > responds to certain packets in order to act accordingly and avoid
> > evasion and injection techniques; actually this need is not a limitation
> > by itself but this capability is difficult to implement.
> >
> > Not only should they consider O.S. responses, in many cases they should
> > also consider specific application responses (web servers for example).
> > So, in a big company with a huge diversity of applications and
> > configurations life won't be easy for a NIDS.
> >
> > I'm not sure of what investigation is taking place to reduce this other
> > than adding a bunch of behavior signatures but I believe that for
> > certain configurations things would be easier for a NIDS.
> >
> > For example, if the NIDS is in front of a firewall implementing
> > application gateway and circuit gateway technologies, in theory, it
> > would suffice to the NIDS to know exactly how this device handles
> > traffic at different levels. I'm not aware of a product claiming to do
> > this interaction with firewalls though (and you just can't have this
> > configuration everywhere).
> >
> > Just some thoughts,
> >
> > Omar Herrera
> >
> >
> >>hi all,
> >>
> >>I'm interested in NIDS and i was wondering if somebody could, please,
> >>answer
> >>these questions or give me some information (links, etc):
> >>
> >>1.- Which are NIDS limitations, in addition of pattern-matching
> >
> > inherent
> >
> >>limitations?
> >>
> >>2.- Wich technologies or investigation lines are trying to minimize or
> >>even
> >>correct this limitations?
> >>
> >>3.- What about distributed NIDS?
> >>
> >
> >
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003
> >
> >
>
>
> - --
> David W. Goodrum
> Senior Systems Engineer
> NFR Security
> Mobile: 703.731.3765
> Office: 240.747.3425
>
>
> ------- End of Forwarded Message
>
- Next message: Kohlenberg, Toby: "RE: Active response... some thoughts."
- Previous message: Jordan K Wiens: "Re: NetScreen IDS (X-post)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
