Re: question about anomalies detection

From: Raj Malhotra (ral.mal_at_gmail.com)
Date: 09/03/04

  • Next message: Jose Maria Lopez: "RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)" 
    Date: Fri, 3 Sep 2004 11:43:24 +0530
To: "faisal99@inf.its-sby.edu" <faisal99@inf.its-sby.edu>

    Hi

    > 1. To train the anomalies detection system, we must train the application
    > with the normal profile. My question is how we get the normal profile, are
    > they built by ourself or we try to get from our network dump data to be
    > set as normal profile or we use the prebuild data on the net(like the data
    > on the Lincoln Lab Data?)

    You can do all the three. But i would like to do it as follows:
    1) assume that traffic on my LAN is clean.
    2) set-up a machine running tcpdump with "-w" option to keep logging
        what ever goes on the LAN.
    3) use a linux box and run nmap with os finger printing option on some
    target machines
        on the same LAN.
    4) the tcpdump will have a mixture of normal traffic and scans for OS
    finger printing

    look for features that are unique to OS fingerprinting (read how nmap
    works) and try to use
     k-nearest neighbour for classification.

    > 2. Is there any paper about SPADE(Snort Plugin), I've googling for
    > sometimes but never found one.

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    --------------------------------------------------------------------------

  • Next message: Jose Maria Lopez: "RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"