Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
I'm not so sure I would call this "offensive use of an IDS". It's
really offensive use of a sniffer. There are a variety of protocols
such as SNMP and OSPF/RIP/BGP which can be used to figure out the
topology and services available on a target network. Even DNS and
"ping's" from a network management system can also be used. One of
my all time favorites was to intercept an X session which contained
an HP Openview session with active network maps.
>From a commercial IDS point of view, I think this information has
obvious security value. For example, in the Dragon IDS, you can
search through a complex ACL of SYN-ACKs from servers on your
network and also for responses from servers that your folks are
visiting. This means you can say neat things like "I have 5 DNS
servers so I will ignore port 53 traffic SYN/ACK traffic from them,
but alert on port 53 SYN/ACKs from other servers that may be
unauthorized ports". The same thing goes for general rules which
say, show me a SYN/ACK for any of my machines above port 1024
which may indicate backdoor traffic. There will be some false
alarms from FTP transfers, but a consistent port such as a proxy
or IRC server will stand out.
Ron Gula, CTO
Network Security Wizards
Received on Apr 14 2000
Intro
