Intrusion Detection Systems mailing list archives

Re: IDS Comparison

From: dugsong () monkey org (Dug Song)
Date: Fri, 10 Mar 2000 01:42:17 -0500 (EST)



On Mon, 6 Mar 2000, Martin Roesch wrote:

Your IDS performs fragmentation reassembly, great.  Does it perform it
the same way as the target under attack?  If it doesn't, someone may
fragroute their way right past you.  Ditto for TCP stream reassembly.


ditto for TCP/IP option processing, and application protocol parsing:

        Usage: fragproxy ATTACK host port

         where ATTACK is one of the following:

         -B1: base-1: normal TCP/UDP proxying
         -L1: line-1: line-oriented protocol typeahead
         -R1: rpc-1: RPC record fragmentation
         -R2: rpc-2: RPC portmap proxy
         -T1: tel-1: Telnet/FTP NVT option insertion
         -T2: tel-2: Telnet keystroke editing
         -W1: www-1: HTTP URI escaping
         -W2: www-2: HTTP URI path translation
        ...

just a heads-up. :-)

Given that we detect every device on the network and can identify the
operating system/IP stack that it's running we can do something really
cool: accurately model the behavior of the IP defragmentation/TCP
stream reassembly of *any* target host on the network in a
computationally inexpensive manner.


but do you also identify the software running on each of those devices,
and accurately model their implementation-specific anomalies? see rfp's
whisker for an example of this for HTTP.

It's hard to explain without explaining ontologies, but the
performance of the ARMOR detection engine loaded with 10000 rules is
about the same (within 10%) of the performance of the engine with 100
rules.  For all intents and purposes, rules load doesn't matter to the
system as a performance limiter.


you mean, unexercised rules. running code takes CPU, this is a dawg-given
fact. and when your most computationally expensive code paths can be
triggered at will by an outside attacker, the best you can really do is
damage control.

it may be worth writing a program to demonstrate this, for the purposes of
further benchmarking and comparison (nidsdos?). something noisy,
implementing state holding attacks (IP fragment and TCP segment random
drop), and exercising worst-case code paths (anything that triggers
expensive or bifurcated input analysis).

-d.

http://www.monkey.org/~dugsong/

Current thread:

Research topics in IDS, (continued)
- - Research topics in IDS twv14 (Mar 09)
    - RE: Research topics in IDS Bill Royds (Mar 10)
  - Blackice trojaned and very buggy jeff andrews (Mar 09)
- IDS comparison Klaus, Chris (ISSAtlanta) (Mar 07)
  - Re: IDS comparison Greg Shipley (Mar 09)
- RE: IDS Comparison Vin McLellan (Mar 07)
  - RE: IDS Comparison David Newman (Mar 08)
- RE: IDS Comparison Martins, Fernando (Lisbon) (Mar 08)
- RE: IDS Comparison David Newman (Mar 08)
- RE: IDS Comparison Lister, Justin (Mar 08)
- Re: IDS Comparison Dug Song (Mar 09)