On Thu, Oct 23, 2003 at 06:53 -0400, Sam f. Stover wrote:
> In the not too distant past I would have agreed with this - but I think
> as IDS implementations grew, the way people describe FPs has changed.
> I think today's IDS *needs* to know "the additional information about
> the context and relevance" - because the event you are referring to is
> what I'll call an "effective FP".
There is a paper upcoming at ACM's CCS next week in which we use the
term "contextual signatures" to describe the enhancement of
Snort-like signatures by incorporating additional context. We
implemented this for IDS Bro, making use of all its already existing
mechanisms to provide context (which includes a full scripting
language).
> Even better, I want to see the 404 or 403 error, so I
> can show my boss why I didn't even bother to look into it.
Actually, this one of our examples: For a certain attack, we want
the IDS to alert only if the server has not answered with a 4xx.
The paper is available at http://www.net.in.tum.de/~robin/papers/ccs03.ps
Robin
--
Robin Sommer * Room 01.08.055 * www.net.in.tum.de
TU Munich * Phone (089) 289-18006 * sommer_at_in.tum.de
- application/pgp-signature attachment: stored
Received on Oct 25 2003
Intro
