Intrusion Detection Systems: RE: RE: Ramping up for another review

[dugsong () monkey org (Dug Song)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
On Mon, 10 Jul 2000, Klaus, Chris (ISSAtlanta) wrote:

> I do not believe either of them have tackled a standard for common IDS
> response protocol.
what do you mean by this? what requirements would such a protocol have?

> I would expect to see CVE or something equivalent over time to be extended
> to the IDS area as well.
it has, and i still believe it is a misguided effort, as it seeks to
provide a nomenclature in the absence of any taxonomy - CVE participants
vote upon what attack names should be in the database, but are left to
their own devices in applying them.

> The IDS industry needs a standard for benchmarking the performance of IDS.
we've been over this before - see Roy Maxion's excellent RAID
presentations on IDS measurement and testing requirements for some idea of
what's actually needed, as opposed to the usual benchmarketing...

> Also, coming up with a common group of signatures that are turned on
> for performance testing for all IDS sensors can be tricky...
or invalid, in the case of IDSs which do more than misuse detection.

> Need almost something like fragrouter but for performance testing that
> everyone in the IDS industry can benchmark against.
tcpreplay with the DARPA IDEVAL reference corpus is about as good as it's
going to get for a while, it seems...

-d.

p.s if anyone wants to fund IDS testing/measurement work at CITI
    (www.citi.umich.edu), we'd be happy to do it... :-)

http://www.monkey.org/~dugsong/