Re: Real Traffic (was Re: BlackICE IDS)

[dugsong () monkey org (Dug Song)]

On Mon, 6 Dec 1999, Robert Graham wrote:

> Along with this, I should mention that there is sometimes a tradeoff between
> speed and accuracy.

when *isn't* there? :-)

> For example, when RFP released "whisker", he put some interesting
> anti-IDS capabilities in it

URI path translation attacks, which you can do with a browser as well
(e.g. http://www.monkey.org/foo/../bar/../cgi-bin/./././phf). but there
are many other subterfuge attacks possible against a passive monitor which
isn't actually parsing the application data in the same way as the
target server...

> The unfortunate thing is that objective metrics like "packets-second"
> or "number of signatures" or similar numbers frequently miss the
> point.

which is what? i'd say that objective metrics are of UTMOST importance -
it's just that few ppl are concerned with defining what they should be,
and how they should be measured (basically, no one in the commercial
world, and only a handful of academics).

> Therefore, the only real solution is to run the NIDS in your own
> environment, throw some attacks onto the wire, and see if it works.

and i'm sure you tested the airbag and seatbelt in your car with a
personal crash test, right? ;-)

-d.

http://www.monkey.org/~dugsong/