RE: IDS Signature Confidence
From: Mark Teicher (mht3_at_earthlink.net)
Date: 07/22/05
- Previous message: Mark Teicher: "RE: NetFlow for IDS"
- In reply to: THolman_at_toplayer.com: "RE: IDS Signature Confidence"
- Next in thread: Mike Murray: "RE: IDS Signature Confidence"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 21 Jul 2005 20:17:28 -0400 To: THolman@toplayer.com
if an Intrusion Detection Solution is engineered correctly, it should
be able to correlate network traffic in such a way, that it can
recognize attack patterns even if a Dos Attack is comprised of valid
traffic (i.e. DHCP Exhaustion, etc, etc) Regardless of whether it is
a rate based IDS/IPS solution.
/m
At 05:53 AM 7/21/2005, THolman@toplayer.com wrote:
>Hi Raffy,
>
>If a DoS attack is made up of valid traffic, then a NIDS signature isn't
>going to pick it up.
>You need to establish whether or not incoming traffic from individual IPs
>meets acceptable transaction rates, and this is really a job for a
>rate-based IPS.
>
>Regards,
>
>Tim
>
>-----Original Message-----
>From: Raffael Marty [mailto:raffy@raffy.ch]
>Sent: 21 June 2005 00:00
>To: focus-ids@lists.securityfocus.com
>Subject: IDS Signature Confidence
>
>I was thinking about this following problem: Assume you have an NIDS
>signature looking for DoS attacks. In most of the cases I don't trust the
>NIDS reporting on a DoS attack. A lot of the DoS sigs just look at
>some bytes on the wire and tell me that there is a DoS attack going
>on. However, I need some more evidence that my services are indeed not
>accessible anymore. Some signatures on the other hand are very specific
>and you can trust them with whatever they report.
>Now this brings me to my question: How do you guys decide how much
>confidence you put in a certain IDS signature? And I am not talking
>about prioritizing the event. I am talking about assigning a "success"
>or "possible success" to signatures.
>
> -raffy
>
>
>--
> Raffael Marty, GCIA, CISSP raffael.marty@arcsight.com
> Senior Security Engineer Content Team @ ArcSight Inc.
> 5 Results Way Cupertino, CA 95014 (408) 864-2662
>
>--------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it with real-world attacks from
>CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>--------------------------------------------------------------------------
>
>------------------------------------------------------------------------
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it
>with real-world attacks from CORE IMPACT.
>Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>to learn more.
>------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Mark Teicher: "RE: NetFlow for IDS"
- In reply to: THolman_at_toplayer.com: "RE: IDS Signature Confidence"
- Next in thread: Mike Murray: "RE: IDS Signature Confidence"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
