Re: IDS is dead, etc
From: Martin Roesch (roesch_at_sourcefire.com)
Date: 08/04/03
- Previous message: Ueli Kistler: "EagleX v2.1 released - www.engagesecurity.com"
- Maybe reply: Burak DAYIOGLU: "Re: IDS is dead, etc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 4 Aug 2003 07:04:49 -0400 To: Burak DAYIOGLU <burak.dayioglu@pro-g.com.tr>
Hi Burak,
I remember your work and it was cool stuff. RNA is significantly
different than just straight passive OS fingerprinting, we're building
a persistent model of the network and applying what we've learned over
time to the data that's coming out of the NIDS. There are several
other "neat things" that RNA does that'll let it stand alone as a
product unto itself, but when combined with NIDS it is designed to
result in better prioritization of event data, reduction in
evadability/false negatives, and false positive mitigation.
-Marty
On Tuesday, August 5, 2003, at 02:41 AM, Burak DAYIOGLU wrote:
> On Sun, 2003-06-22 at 18:44, Martin Roesch wrote:
>>> I would love to see a fingerprinting tool that identified the client
>>> and
>>> server Operating System / Application and reduced the priority of
>>> alerts
>>> for false positives when it is known that the system is not
>>> vulnerable.
>>> The alerts still flag, so we see the drive-by-shootings, but as their
>>> priority is reduced they are less significant.
>>>
>>> Anyone got any development ideas on this front?
>>
>> I'm working on just such a program/product called RNA (Real-time
>> Network
>> Awareness) right now, we've got a press release outlining the
>> technology
>> (which isn't available yet) on the Sourcefire web site. I'll spare
>> everyone
>> the marketing here, if anyone wants more information just drop me an
>> email.
>
> I have had implemented such an extension, as Giles refer, in 2001 to
> Snort while doing my M.Sc. thesis. I have integrated p0f of Zalewski as
> a preprocessor plugin to Snort to "learn" protected hosts' operating
> systems. With the help of Max Vision, we have extended Snort signatures
> to include proper target O.S. information.
>
> We have had some success with the issue. Interested people can check my
> thesis (http://www.dayioglu.net/publications/thesis.pdf)or the paper
> about it (http://www.dayioglu.net/publications/iscis2001.pdf).
>
> I bet Roesch has been doing much more than this... :)
>
> with regards.
> --
> Burak DAYIOGLU
> Consultant, Pro-G Information Security and Research Ltd.
> Phone: +90 312 2101494 Fax: +90 312 2101493
> http://www.pro-g.com.tr ICQ UIN: 72276975
>
>
-- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Enterprise-class Intrusion detection built on Snort roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
- Previous message: Ueli Kistler: "EagleX v2.1 released - www.engagesecurity.com"
- Maybe reply: Burak DAYIOGLU: "Re: IDS is dead, etc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
