Re: Anomaly Based Network IDS

From: Drew Simonis (simonis_at_myself.com)
Date: 06/24/04

  • Next message: Martin Roesch: "Re: ssh and ids"
    To: focus-ids@securityfocus.com
    Date: Thu, 24 Jun 2004 07:43:22 -0500
    
    

    > Barry Fitzgerald wrote:
    >
    > I'm going to go out on a limb and state that it's far less
    > likely that a real 0-day will ever generate significantly
    > abundant anomolies in the network traffic, in particular
    > if it's designed well and if the attacker is careful about
    > how they carry out their attack.

    I wonder why volume of anomolies is a point of consideration
    here. As I have stated, I am a user of Mazu Network's Profiler
    product (and have been since early December). This product
    features the ability to compare network traffic against a
    evolving baseline, which would allow me to, for example, instantly
    detect traffic to a port on a machine that wasn't there before.

    The implications are (to me, anyway) obvious. In my experience,
    an exploited machine usually begins listening on a new port. For
    example, if I exploit a webserver, I may have a listener on a
    high port so that I may connect in and do my thing. It isn't
    likely that I'd use 80/tcp as my listener, as that would make
    detection trivial (i.e. my webserver isn't serving!).

    As soon as a connection to this listener is made, I get an alert.
    If a host starts communicating with other hosts that it traditionally
    doesn't, I can get an alert. If a server stops receiving traffic on
    a port, or traffic falls below a threshold, I can get an alert.

    The point is, while the initial attack vector may not generate
    alertable activity, in most cases the utilization of the attacked
    host would, and that is the value I see.

    -Ds

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Martin Roesch: "Re: ssh and ids"

    Relevant Pages

    • RE: FW: Legal? Road Runner proactive scanning.[Scanned]
      ... port scan on TCP 25? ... If your host is on the internet I consider it public and knocking on ... Port scanning is not an attack it is probe. ... someone else's network without permission. ...
      (Security-Basics)
    • UT DDoS risk
      ... UDP 7778 is for server querying. ... - The host A send 1 empty UDP packet with the source IP of the host C ... (UT default port) ... The host A after 2 mins and 30 secs can restart the attack. ...
      (Bugtraq)
    • Re: What sort of attack is this?
      ... this "person" has used a DNS type attack. ... > Several times lately my I've seen an apparent bind attack. ... > see port 53 is blocked on that particular host -- actually the host ... There were 77 attempts to access port 53 ...
      (Focus-Linux)
    • TCPSocket.accept blocks signals on win32?
      ... LISTENER = TCPServer.new(HOST, PORT) ...
      (comp.lang.ruby)
    • Re: Help for VPN to TCP/IP Socket, in C#.NET
      ... "Could not open connection to the Host on Port 7000: ... I'm wondering if the remote host has a security layer I don't know ... Either that or there is no listener on port 7000 on the remote machine? ...
      (microsoft.public.pocketpc.developer)