Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: anomaly IDS ideas ?

anomaly IDS ideas ?

From: <the_aok_at_yahoo.com>
Date: 1 Feb 2006 19:41:16 -0000
('binary' encoding is not supported, stored as-is) hello,
im a computer science student and i have to do my graduation project
next
semester, i want to do it on anomaly IDS's. i have searched the
internet and
found little on that subject,here are my ideas on how to implement a
network
anomaly IDS,please correct me where im wrong or if u have any other
references or ideas i would be happy to hear from you:
the IDS will have 2 stages;first it will study the network traffic and
build
some kind of a database that keeps what should be marked as 'safe' and
after
collecting enough information it should start running and issue alerts
when
anomalies happen(network data will be compared to the database built in
the
first stage),this is the data im going to collect:
1-information about each hostname,IP address,and MAC address.(i think
this
should stop ARP Poisoning attacks by comparing later traffic to the
database
of MAC addresses associated with IP addresses)
2-ports open on each host and ports that each host connects to.the IDS
should issue an alert if the host opens a port which wasnt open before
or
tries to connect to a new port; with this i think that exploits that
use
bind or connectback shellcode should be stopped.
3-times each host uses the network and which usernames it uses to
connect to
network resources; this should enable the IDS to detect if someone else
is
using the computer or using a different username.

this is it :) i know that this is not near enough and that is why im
sending
this email, for example if someone uses an upload/exec shellcode in an
exploit i dont think that the IDS will detect it, or if a trojan
connects to
a common port(for example port 80) the IDS won't notice it.
another thing i want is to minimize false positives,which is an
important
thing.the main aim of the IDS will be to stop 0day attacks from
happening,
so if anyone has any ideas or any references i would really appreciate
it.
thank you,

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Feb 02 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos