Re: Views and Correlation in Intrusion Detection
From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 06/23/03
- Previous message: Jack Ryan: "IDS, IPS or just rubbish?"
- In reply to: adam.w.hogan: "Re: Views and Correlation in Intrusion Detection"
- Next in thread: Randy Taylor: "Re: Views and Correlation in Intrusion Detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Jun 2003 16:26:12 -0500 To: "adam.w.hogan" <adam.w.hogan@delphi.com>, "Focus-Ids (E-mail)" <focus-ids@securityfocus.com>
How about a "user's" POV?
To be really effective, I'd like to see a system that looks at packets
coming in to the network, compares those to packets hitting specific
servers, "knows" if the server is vulnerable to the specific attack and
*then* sends an alert.
To do this kind of work you would need:
1) a db (A) with the info on each server - OS, applications,
vulnerabilities, etc.
2) a detection engine that matches the IP and attack sig to the entry in
the db (A) with its own db (B) of sigs
3) an escalation procedure that recognizes that attack A was successful and
attack B has begun and therefore alerts "more aggressively".
I don't want to know if an attacker is trying an overflow attack on my IMAP
server if my IMAP server isn't vulnerable to that attack. I could care
less. I also don't want to know if some box somewhere with Code Red is
hitting my network *unless* I have a box that's susceptible to Code Red.
So it takes a combination of knowledge to alert "intelligently". 1) What
is the attack? 2) Is the box vulnerable to that attack? 3) Did the attack
reach that box? 4) Was the attack successful?
--On Monday, June 23, 2003 02:25:40 PM -0400 "adam.w.hogan"
<adam.w.hogan@delphi.com> wrote:
> It seems to me that this thread and the 'IDS is dead, etc' thread are
> both coming to same conclusions. Namely, much more work/research needs
> to be done in event correlation to efficiently, and effectively, use an
> IDS.
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
- Previous message: Jack Ryan: "IDS, IPS or just rubbish?"
- In reply to: adam.w.hogan: "Re: Views and Correlation in Intrusion Detection"
- Next in thread: Randy Taylor: "Re: Views and Correlation in Intrusion Detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
