Re: IPS comparison

From: Frank Knobbe (frank_at_knobbe.us)
Date: 09/03/05

Next message: Frank Knobbe: "RE: IPS comparison"

Previous message: Iván Arce: "Re: NADS ( was RE: IPS comparison)"
Maybe in reply to: Rubayat.Zahir_at_csfb.com: "IPS comparison"
Next in thread: Adam Powers: "Re: IPS comparison"
Reply: Adam Powers: "Re: IPS comparison"
Reply: Sanjay Rawat: "Re: IPS comparison"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Focus-Ids Mailing List <focus-ids@securityfocus.com>
Date: Sat, 03 Sep 2005 01:58:56 -0500

On Tue, 2005-08-30 at 18:02 -0400, Adam Powers wrote:
> This is why most of today's *successful* anomaly detection technologies
> incorporate a learning or "behavioral" component that overcomes this kind of
> problem. Take StealthWatch for instance. When a new DNS server comes online,
> StealthWatch looks at the flows being generated by the server, figures out
> what the server is and how it's behaving, then applies the appropriate
> algorithms given the contextual awareness of the server's learned behaviors.
>
> In a nutshell:
>
> 1. New host detected.
> 2. Let's watch it for a bit and figure out what it's up to.
> 3. Now that we know what the machine is and does, apply the proper anomaly
> detection techniques to the traffic generated by the host.

uhm... then I would rather not use Stealthwatch. If a new host comes
online, I'd like to receive an alert on that. Also, letting the IDS
guess what is normal may be suboptimal. For instance, if a host is
hacked and starts an FTP server on a new IP address the hacker assigns
(new host), the IDS will watch the FTP traffic of the pubstro and then
consider it normal. Except that it isn't :)

So having an IDS accept a new host and consider it's traffic normal
without any sort of alerts of user intervention can hardly be considered
a "successful" IDS.

Regards,
Frank

-- 
Ciscogate: Shame on Cisco. Double-Shame on ISS.

application/pgp-signature attachment: This is a digitally signed message part

Next message: Frank Knobbe: "RE: IPS comparison"

Previous message: Iván Arce: "Re: NADS ( was RE: IPS comparison)"
Maybe in reply to: Rubayat.Zahir_at_csfb.com: "IPS comparison"
Next in thread: Adam Powers: "Re: IPS comparison"
Reply: Adam Powers: "Re: IPS comparison"
Reply: Sanjay Rawat: "Re: IPS comparison"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: IPS comparison
... When a new DNS server comes online, ... New host detected. ... I'd like to receive an alert on that. ... Also, letting the IDS ...
(Focus-IDS)
gdm hangs
... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
(Debian-User)
problem with sendmail in solaris 9
... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
(SunManagers)
Re: Add new cluster and use existing LUNs?
... Storport driver and Powerpath on all of our SAN host servers so we are trying ... In the end I think that I may play it cautious and create a new RAID group, ... > varied activity (DBMSes, Messaging Server, File Server, Web Servers, ... Some of the physical spindle limitations can be addressed through the SAN ...
(microsoft.public.sqlserver.clustering)
Log corruption on multiple webservers, log analyzers,...
... Related RFC´s about Internet Host Names convention: ... To succesfully attack a server with “ILLC” technique is mandatory that web ... a machine with a host name as "123.123.123.123" makes a request ... wouldn't appear in the access log file. ...
(Bugtraq)