Intrusion Detection Systems mailing list archives
Identifing things that go Dump
From: ajcblyth () glam ac uk (Comp)
Date: Fri, 19 Nov 1999 16:15:00 -0000
Greetings,
-----Original Message-----
From: Ryan Permeh [SMTP:rrpermeh () rconnect com]
Sent: 18 November 1999 16:56
To: Blyth A J C (Comp)
Cc: 'Stefano Maifreni'; ids () uow edu au
Subject: Re: IDS: RE: IDS
this is a great idea, but how do you define "normal" network
traffic? and when
do you define it? what if an attack is in progress while network
traffic is
being normalized? i've thought about this for a while as a method
to stop spam
messages, and defining "normal smtp traffic" is nearly impossible,
due to the
effect that the spam attacks are already part of the "normal". I
know IDS
doesn't actively defeat spam, as of now, however, as a side note, it
could.
Misuse is much harder to detect in nomilization. Certainly, you can
set up
traffic flow diagrams of legit traffic, but you may run into two
issues. 1. an
attacker may skew your results at the time of your measurement, and
2. attacks
can be made low key enough to appear as "normal" traffic on your
network. are
you going to notice if somone was gathering infmormation from your
mail server
if he was only using connects to tcp 25 to fingerprint your server?
a single
tcp connection can tell a lot about a system, and not set off
alarms. anamoly
and misuse detection needs to grow up before i think it can easily
be used as
an IDS.
[Blyth A J C (Comp)]
I agree with you that there is much work still to be done in the
area of IDS. One idea with regard to nromalization of traffic is to
construct a meta model of security data and then import all your data (log
Files) and normalize your meta data. So for example: one reasonable
assumtion is the all port 25 connections should result in mail being sent or
delivered to that machine. If you combine that mail logs and the network
logs, then you can identify when and where this has happened.
Another posibbility is to use pre-defined data such as the DARPA
data to normalize your network traffic.This will allow you to examine
patterns that fall outside of such data.
Regards
Andrew.
Current thread:
- Re: IDS standards (was: IDS taps in a switched network...), (continued)
- Re: IDS standards (was: IDS taps in a switched network...) Ron Gula (Nov 01)
- Re: IDS standards (was: IDS taps in a switched network...) Stuart Staniford-Chen (Nov 02)
- Re: IDS standards (was: IDS taps in a switched network...) Alexander Bochmann (Nov 09)
- RealSecure Database Issue ColFlagg () chubb com (Nov 10)
- Re: RealSecure Database Issue Jackie Chan (Nov 11)
- Re: RealSecure Database Issue mht () clark net (Nov 12)
- Tripwire Alexey Chalimov (Nov 12)
- My first message Wilfredo Sillerico Gálvez (Nov 17)
- Submission Deadline EXTENSION for 12th Annual FIRST Conference michele sensalari (Nov 18)
- Re: My first message Technical Incursion Countermeasures (Nov 18)
- Identifing things that go Dump Comp (Nov 19)
- Re: My first message Jerry Dixon (Nov 19)
- IDS-Network Computing Article Dano (Nov 19)
- descriptions for buyers' guide pcafarchio () icsa net (Nov 19)
- Evaluating IDS Riley, Steven (Nov 22)
- Intrusions into data-over-cable networks... N. Ganesh (Nov 23)
- Interesting Facts Rakesh Goyal (Nov 17)
- Re: RealSecure Database Issue frank () absoluta org (Nov 15)
- URL for switch attack Lance Spitzner (Nov 10)
- Re: URL for switch attack Trevor Schroeder (Nov 11)
- Re: URL for switch attack Dug Song (Nov 11)