IDS mailing list archives
Re: Anomaly based network IDS
From: Brian Hernacki <bhern () meer net>
Date: Thu, 03 Apr 2003 09:42:56 -0800
The detection logic of the 'compliant but suspicious' subset of the protocol anomaly detection is generally built based on manual analysis.How does it determine what is suspicious?
There are several ways to determine cases which are compliant but still worth alerting on (even though you don't *know* it's a particular exploit). Sometimes we will examine a protocol for obvious points of attack. Other times we may examine a class of exploits or even applications and create logic to detect those types of attacks more generically. Often these 'gaps' are created by grey areas in protocol specifications or differences between specification and implementation.ManHunt also applies similar logic in it's other detection mechanisms (e.g. traffic monitoring and anlysis).
--brian brian_hernacki () symantec com ----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Applicationattacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- Re: Anomaly based network IDS Dale Gardner (Apr 02)
- Re: Anomaly based network IDS Brian Hernacki (Apr 03)