Re: IDS with Case-Based Reasoning

From: Israel (israel_at_ditech.com.br)
Date: 08/25/05

Next message: Evans, Arian: "RE: using HIDS for change control"

Previous message: Joey Peloquin: "Re: IPS technology question."
In reply to: Sanjay Rawat: "Re: IDS with Case-Based Reasoning"
Next in thread: Israel: "Re: IDS with Case-Based Reasoning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 25 Aug 2005 11:13:00 -0300
To: Sanjay Rawat <sanjayr@intoto.com>

Hi,

In the beginning, I will use some known attacks logs, generated by known
scans, how nmap, fingerprint and analyzing the TCP packet content. The
strings in content are good attack indication.
"wget%20" , "/bin/sh" are common strings used in server pages attacks.
Common signatures can be found in snort rules. We can build malicious
network packets to use in repository.

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)

It's some examples found in exploit.rules file.
Currently, I need somebody make a module that converts rules of snort to
real network packets.

Icya

Sanjay Rawat wrote:

> Hi Israel:
> This is Sanjay. Its nice to hear about your project, based on CBR. i
> will be happy to participate in discussion on points/problems, which
> you may face during the project. to my understanding, the main issue
> in CBR is to represent the known cases (in your case, attacks) in an
> effective manner. I find good theoretical papers, but less real-life
> implementations of CBR. Most of the applications are from medical
> side. There are couple of papers, suggesting the use of CBR in IDS (i
> dont remember the references at present, probably some googling will
> do that). which attack repository, are you going to use- DARPA?
>
> best wishes and regards
> Sanjay
>
> At 08:13 PM 8/24/2005, Israel wrote:
>
>> Hello,
>>
>> I'm developing a IDS project in my computer science graduation.
>> It will be use Case-Based Reasoning and handle a repository with the
>> malicious network log to generate responses.
>> The libpcap is used to capture a network trafic.
>> Have you suggestions to implementation?
>> The software is under GPL license and I would like to invite
>> interested peoples to program.
>>
>> Thanx
>>
>> Israel Rocha
>>
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it with real-world attacks
>> from CORE IMPACT.
>> Go to
>> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
>> learn more.
>> ------------------------------------------------------------------------
>>
>
> Sanjay Rawat
> Senior Software Engineer
> INTOTO Software (India) Private Limited
> Uma Plaza, Above HSBC Bank, Nagarjuna Hills
> PunjaGutta,Hyderabad 500082 | India
> Office: + 91 40 23358927/28 Extn 422
> Website : www.intoto.com
> Homepage: http://sanjay-rawat.tripod.com
>
>
>
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Next message: Evans, Arian: "RE: using HIDS for change control"

Previous message: Joey Peloquin: "Re: IPS technology question."
In reply to: Sanjay Rawat: "Re: IDS with Case-Based Reasoning"
Next in thread: Israel: "Re: IDS with Case-Based Reasoning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Signature and Traffic generation
... > actually benchmarking an IDS' ability to detect false positives, ... Many of the low-end packet grepping IDS fall prey to this ... handful of these attacks would be false positives, ... > rather than simulated pseudorandom packets like a smartbits - so that's ...
(Focus-IDS)
Re: Testing IDS with tcpreplay
... vs. detecting a specific set of packets. ... foundations for executing real attacks. ... I'd like to stress (in particular for IDS probes that are ...
(Focus-IDS)
Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
... There is another issue to consider with IPS testing that you do not ... First, once the IPS responds, the remainder of the packets replayed ... You launch "attacks" and see what happens. ... > testing of IDS or IPS. ...
(Focus-IDS)
RE: Intrusion Prevention
... Coverage what can it detect; this covers basic attacks, ... IDS purchase. ... While doing these implementations and while working in an IDS vendor I ... sometimes we're told that we cannot see the testing methodology upfront. ...
(Focus-IDS)
RE: Changes in IDS Companies?
... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ...
(Focus-IDS)