IDS: Re: IDS data sets

[Stefano Zanero <zanero () elet polimi it>]

Hallo Salim,

> I am a newbie to the forum. I am looking for some pointers as far as
> techniques/tools used in analyzing IDS data published by MIT & DARPA
> (http://www.ll.mit.edu/IST/ideval/). 
The data are intended for IDS evaluation, thus you can analyze them with 
any IDS / Network traffic analysis tool (as far as the TCPDump logs are 
concerned) or with a BSM auditing tool for the rest of them.
> My attempts thus far have resulted in
> crashing of my windows system. 
Well, what operation doesn't crash a windows system nowadays :)

Seriously: those datasets are HUGE. I advise you to use stable, simple 
utilities to analyze them. And lots of RAM would help, also.
> The data available is five years old and I
> have some doubts about the validity of any results obtained from the data 
There is an awfully good critique of that dataset in J. McHugh, "Testing 
Intrusion detection systems: a critique of the 1998 and 1999 DARPA 
intrusion detection system evaluations as performed by Lincoln 
Laboratory", ACM Transactions on Information and System Security 
(TISSEC), Volume 3, Issue 4 (November 2000)
http://portal.acm.org/citation.cfm?id=382923

--
Cordiali saluti,
Stefano Zanero
Dottorando di Ricerca / Ph.D. Student

Politecnico di Milano - Dip. Elettronica e Informazione
Via Ponzio, 34/5 I-20133 Milano - ITALY
Tel.    +39 02 2399-4010/3660
Fax.    +39 02 2399-3411
E-mail: zanero () elet polimi it
Web:    www.elet.polimi.it/upload/zanero

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------