IDS mailing list archives
RE: Application level IDS?
From: "Fergus Brooks" <fergusb () evolve-online com>
Date: Thu, 19 Jun 2003 12:25:55 +0800
I suppose that any NIDS which performs protocol anomaly detection full time (eg Manhunt, Dragon) could be considered an application layer NIDS. I can't speak for Dragon but I know that Manhunt runs multiple state engines that monitor the particular protocols constantly and can generate events when they see something that is not in the RFC. Signature-based NIDS are also application layer in so much as if they have a signature for an attack that operates at layer 7 (eg Nimda) then they can generate an event. Not saying either type is better - I guess the systems that employ a combination of detection methods are the most thorough. There is a great product from KavaDo called InterDo which analyses application traffic at a very high level - aimed at web services etc, that acts as a firewall. They will say that their product is designed to complement a firewall, not replace it. It is not an IDS though but if you are looking for prevention at that level? They also have a scanner that makes mincemeat of lazy/poor code on servers if you want take that approach. Rgds. -----Original Message----- From: Smokey Lonesome [mailto:smokey_ids () yahoo com] Sent: Thursday, 19 June 2003 5:52 AM To: focus-ids () securityfocus com Subject: Application level IDS? Hi IDS experts, I'm not deeply familiar with IDS technologies and products, so I apologize in advance if this is a too-trivial question: Is there anything like an "application level IDS" ? (similar to what is now called "application firewall"?) What I mean is something that has the non-intrusive characteritics of an IDS (as it was discussed lately regarding Gartner's article - I'm talking about I_D_S and not I_P_S) but which is doing deep application level analysis, maybe even application-session (cookies?) related analysis (though i'm not sure it is possible to keep track of a session when you're just monitoring traffic). I think such a system should be able to detect the many application level attacks - SQL injections, hidden-fields tampering, cookie poisoning etc. while being more sensitive than a firewall\IPS considering it is not blocking any traffic upon detecting "suspicious" activity. Does something like that exist? Has any of you implemented it? Can it be implemented using any of the existing IDS's (maybe on top of Snort's stream4? Someone mentioned in a recent post "build POP3 protocol intelligence" - how can this be done with existing tools? can it be done for HTTP\HTML as well?) TIA, (-) Smokey. ------ "You can't have everything. Where would you put it?" (Steven Wright) __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ------------------------------------------------------------------------ ------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ------------------------------------------------------------------------ ------- -- This message has been scanned by AVMail. ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Application level IDS? Smokey Lonesome (Jun 18)
- Re: Application level IDS? Ali-Reza Anghaie (Jun 19)
- RE: Application level IDS? Eric Greenberg (Jun 19)
- Re: Application level IDS? Dug Song (Jun 19)
- RE: Application level IDS? Drew Copley (Jun 22)
- Re: Application level IDS? Dug Song (Jun 19)
- RE: Application level IDS? Fergus Brooks (Jun 19)
- Re: Application level IDS? K. K. Mookhey (Jun 19)
- <Possible follow-ups>
- RE: Application level IDS? adam.w.hogan (Jun 19)