RE: Application level IDS?

• Previous message: Eric Greenberg: "RE: Application level IDS?"
• Maybe in reply to: Smokey Lonesome: "Application level IDS?"
• Next in thread: Fergus Brooks: "RE: Application level IDS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 19 Jun 2003 08:06:25 -0400
To: "Smokey Lonesome" <smokey_ids@yahoo.com>, <focus-ids@securityfocus.com>

Actually, there is a solution to do all this. A new company called
WebCohort[0] was recently founded by Shlomo Kremer. Their solution, to
be blunt, does everything you just asked for. Sensors start in learn
mode and sample your network traffic for statistical analysis. Then it
monitors html, web sessions, cookies, SQL traffic and is capable of
terminating any connection it finds to be malicious. It is one cool
product.

-Adam.

[0] - www.webcohort.com

-----Original Message-----
From: Smokey Lonesome [mailto:smokey_ids@yahoo.com]
Sent: Wednesday, June 18, 2003 5:52 PM
To: focus-ids@securityfocus.com
Subject: Application level IDS?

Hi IDS experts,

        I'm not deeply familiar with IDS technologies and
products, so I apologize in advance if this is a
too-trivial question:
        
        Is there anything like an "application level IDS" ?
(similar to what is now called "application
firewall"?)
        
        What I mean is something that has the non-intrusive
characteritics of an IDS (as it was discussed lately
regarding Gartner's article - I'm talking about I_D_S
and not I_P_S) but which is doing deep application
level analysis, maybe even application-session
(cookies?) related analysis (though i'm not sure it is
possible to keep track of a session when you're just
monitoring traffic).
        I think such a system should be able to detect the
many application level attacks - SQL injections,
hidden-fields tampering, cookie poisoning etc. while
being more sensitive than a firewall\IPS considering
it is not blocking any traffic upon detecting
"suspicious" activity.

        Does something like that exist? Has any of you
implemented it? Can it be implemented using any of the
existing IDS's (maybe on top of Snort's stream4?
Someone mentioned in a recent post "build POP3
protocol intelligence" - how can this be done with
existing tools? can it be done for HTTP\HTML as well?)
        
        TIA,
        (-) Smokey.
------
"You can't have everything. Where would you put it?"
(Steven Wright)

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the
world's premier technical IT security event! 10 tracks, 15 training
sessions,
1,800 delegates from 30 nations including all of the top experts, from
CSO's to
"underground" security specialists. See for yourself what the buzz is
about!
Early-bird registration ends July 3. This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

• Previous message: Eric Greenberg: "RE: Application level IDS?"
• Maybe in reply to: Smokey Lonesome: "Application level IDS?"
• Next in thread: Fergus Brooks: "RE: Application level IDS?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]