Re: Anomaly based network IDS
From: Brian Hernacki (bhern@meer.net)
Date: 04/03/03
- Previous message: Miller, Joe: "RE: IDS interface setup"
- In reply to: Dale Gardner: "Re: Anomaly based network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 03 Apr 2003 09:42:56 -0800 From: Brian Hernacki <bhern@meer.net> To: focus-ids@securityfocus.com
>How does it determine what is suspicious?
>
The detection logic of the 'compliant but suspicious' subset of the protocol anomaly detection is generally built based on manual analysis.
There are several ways to determine cases which are compliant but still worth alerting on (even though you don't *know* it's a particular exploit). Sometimes we will examine a protocol for obvious points of attack. Other times we may examine a class of exploits or even applications and create logic to detect those types of attacks more generically. Often these 'gaps' are created by grey areas in protocol specifications or differences between specification and implementation.
ManHunt also applies similar logic in it's other detection mechanisms (e.g. traffic monitoring and anlysis).
--brian
brian_hernacki@symantec.com
-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
- Previous message: Miller, Joe: "RE: IDS interface setup"
- In reply to: Dale Gardner: "Re: Anomaly based network IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
