RE: Application level IDS?

From: Fergus Brooks (fergusb_at_evolve-online.com)
Date: 06/19/03

  • Next message: K. K. Mookhey: "Re: Application level IDS?"
    To: "'Smokey Lonesome'" <smokey_ids@yahoo.com>, <focus-ids@securityfocus.com>
    Date: Thu, 19 Jun 2003 12:25:55 +0800
    
    

    I suppose that any NIDS which performs protocol anomaly detection full
    time (eg Manhunt, Dragon) could be considered an application layer NIDS.
    I can't speak for Dragon but I know that Manhunt runs multiple state
    engines that monitor the particular protocols constantly and can
    generate events when they see something that is not in the RFC.

    Signature-based NIDS are also application layer in so much as if they
    have a signature for an attack that operates at layer 7 (eg Nimda) then
    they can generate an event.

    Not saying either type is better - I guess the systems that employ a
    combination of detection methods are the most thorough.

    There is a great product from KavaDo called InterDo which analyses
    application traffic at a very high level - aimed at web services etc,
    that acts as a firewall. They will say that their product is designed to
    complement a firewall, not replace it. It is not an IDS though but if
    you are looking for prevention at that level?

    They also have a scanner that makes mincemeat of lazy/poor code on
    servers if you want take that approach.

    Rgds.

    -----Original Message-----
    From: Smokey Lonesome [mailto:smokey_ids@yahoo.com]
    Sent: Thursday, 19 June 2003 5:52 AM
    To: focus-ids@securityfocus.com
    Subject: Application level IDS?

    Hi IDS experts,

            I'm not deeply familiar with IDS technologies and
    products, so I apologize in advance if this is a
    too-trivial question:
            
            Is there anything like an "application level IDS" ?
    (similar to what is now called "application
    firewall"?)
            
            What I mean is something that has the non-intrusive
    characteritics of an IDS (as it was discussed lately regarding Gartner's
    article - I'm talking about I_D_S and not I_P_S) but which is doing deep
    application level analysis, maybe even application-session
    (cookies?) related analysis (though i'm not sure it is
    possible to keep track of a session when you're just
    monitoring traffic).
            I think such a system should be able to detect the
    many application level attacks - SQL injections,
    hidden-fields tampering, cookie poisoning etc. while
    being more sensitive than a firewall\IPS considering
    it is not blocking any traffic upon detecting
    "suspicious" activity.

            Does something like that exist? Has any of you
    implemented it? Can it be implemented using any of the
    existing IDS's (maybe on top of Snort's stream4?
    Someone mentioned in a recent post "build POP3
    protocol intelligence" - how can this be done with
    existing tools? can it be done for HTTP\HTML as well?)
            
            TIA,
            (-) Smokey.
    ------
    "You can't have everything. Where would you put it?"
    (Steven Wright)

    __________________________________
    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com

    ------------------------------------------------------------------------
    -------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
    the
    world's premier technical IT security event! 10 tracks, 15 training
    sessions,
    1,800 delegates from 30 nations including all of the top experts, from
    CSO's to
    "underground" security specialists. See for yourself what the buzz is
    about!
    Early-bird registration ends July 3. This event will sell out.
    www.blackhat.com
    ------------------------------------------------------------------------
    -------

    --
    This message has been scanned by AVMail.
    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------
    

  • Next message: K. K. Mookhey: "Re: Application level IDS?"

    Relevant Pages

    • Re: please explain udld in detail
      ... UDLD is a Layer 2 protocol that works with Layer 1 mechanisms to ... takes care of physical signaling and fault detection. ...
      (comp.dcom.lans.ethernet)
    • Re: Signature vs. Protocol Analysis
      ... This can be seen, quite clearly, in the signatures that were ... Detection), the number of actual patterns was equal to or greater than the ... In the case of protocol analysis, ... > products are increasingly mixing the two techniques, ...
      (Focus-IDS)
    • Re: NAT is not a mechanism for securing a network.. but.. HELP!
      ... each packet is modified to change the IP addresses ... and ports but uses the same protocol. ... build a "tunnel", where UDP packets are actually sent using the ... Notice that each layer can have multiple /different/ protocols. ...
      (comp.security.firewalls)
    • Re: brouter - bridging non routable (layer 3?!) addresses - terminology question
      ... that without storing all the X'0800' packets not addressed to ... Some can router or bridge IP, router or bridge Appletalk, ... These comps use this layer 3 protocol, ...
      (comp.dcom.lans.ethernet)
    • Re: Signature vs. Protocol Analysis
      ... > Protocol analysis is pattern matching as is signature based detection. ... discussion the variations in protocol decoding that are present within ...
      (Focus-IDS)