Re: question about anomalies detection
From: Omar Herrera (oherrera_at_prodigy.net.mx)
Date: 09/02/04
- Previous message: Compton, Rich: "RE: ??? on deepnines.com"
- Maybe in reply to: faisal99_at_inf.its-sby.edu: "question about anomalies detection"
- Next in thread: Christian Kreibich: "Re: question about anomalies detection"
- Reply: Christian Kreibich: "Re: question about anomalies detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 02 Sep 2004 15:22:17 -0500 To: faisal99@inf.its-sby.edu
Hi Nafis,
>Hai everyone,
>sory if my question seems to be dummy question,
>but I need several thing to know about anomalies detection for my college
>assignment. Below are something to answer(if you don't mind)
>
>1. To train the anomalies detection system, we must train the application
>with the normal profile. My question is how we get the normal profile, are
>they built by ourself or we try to get from our network dump data to be
>set as normal profile or we use the prebuild data on the net(like the data
>on the Lincoln Lab Data?)
Usually, you set up the tool to gather a sample of the traffic to create tables of
normal traffic and adjust its thresholds. Of course, you should chose the best
time to do this carefully: profiling the traffic during night, with no server
activity, would result in a bunch of false positives when your servers start
receiving traffic. This is how this works (in general terms); each product has particular capabilities and there are specifics for the fine-tuning of each product.
>2. Is there any paper about SPADE(Snort Plugin), I've googling for
>sometimes but never found one.
http://www.silicondefense.com/, the website of the plugin, is unreachable (at least for me). You can still find a copy of the plugin in the latest snort distribution, inside the contrib directory. The README file in there has a very good description of the algorithms involved in SPADE. In essence, SPADE works only at the network level, meaning that it can only identify traffic to/from certain IP and ports but it cannot tell you if it is invalid from an application point of view (for example, it cannot analyze if the payload of an http packet violates some http protocol specification).
It seems SPADE is no longer maintained (last update I know of is from 2000), but you might still find it useful.
I don’t think anomaly detection systems are well suited for the perimeter with the Internet. Some will differ from this opinion based on capabilities of certain products and the environment, but generally speaking, if your traffic is diverse at the perimeter (almost any IP, and port from and to your network), you will either find that it spits a lot of false positives or that the profile is so relaxed that it doesn’t alert on anything and thus is of no use.
In an internal network they might be more useful. For example, you could easily spot a worm trying to propagate through your network.
Hope this helps,
Omar Herrera
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
- Previous message: Compton, Rich: "RE: ??? on deepnines.com"
- Maybe in reply to: faisal99_at_inf.its-sby.edu: "question about anomalies detection"
- Next in thread: Christian Kreibich: "Re: question about anomalies detection"
- Reply: Christian Kreibich: "Re: question about anomalies detection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
