IDS mailing list archives
RE: Hi, I want to study IPS
From: "Chris Petersen" <chris.petersen () security-conscious com>
Date: Wed, 14 Jul 2004 09:01:48 -0600
In our experience developing technology of this type (albeit data-mining anomoly detection software), you will need data from real networks to test your algorithms/methods against. Putting up a test network, with test data does not provide a good baseline against which to evaluate the effectiveness of your techniques. You need real data, with real anomalies. If you can't get a live feed from production networks, you might try something like tcpdump combined with tcpreplay. It's been awhile but I believe what I did was pump tcpdump files into a hub via tcpreplay. I then connected our sniffer and analysis software to the hub. I believe its also possible to do this without a hub where the replay system and sniffer are one and the same. I think the most important consideration is making sure you have a network architecture that allows you to collect, replay, and sniff as much traffic as possible by as many different systems as possible. Good luck, Chris Petersen CTO Security Conscious, Inc. www.logrhythm.com -----Original Message----- From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] Sent: Tuesday, July 13, 2004 9:27 AM To: focus-ids () securityfocus com Subject: RE: Hi, I want to study IPS Hi all, Continuing with this questions, we are planning a laboratory for research in the university. Which do you think that are computer requirements for a Network based Anomaly Detection research? Urko
-----Mensaje original----- De: Ali Rajput [mailto:arajput () hdaar com] Enviado el: martes, 25 de mayo de 2004 17:10 Para: focus-ids () securityfocus com Asunto: Re: Hi, I want to study IPS HI, My name is Muhammad Ali Rajput, Its good to hear that you want to study IPS. One thing you can do
visit
www.sans.org; here you can find information to get started. IPS is quite new concept but nothing is impossible, maybe your 20
mintue
idea can work. Presently i am working on a host-based IDS (for Windows 2000 pro) to submit as a degree project. You can mail me back if you need any information regarding this. On Tuesday 25 May 2004 07:29, Runion Mark A FGA DOIM WEBMASTER(ctr)
wrote:
Vaporwar-ish, or vapor-ware-ish? IPS is a wonderful concept. The few working incidents I've worked
with
aremuch larger scale, and use a more structured network. The concept discussed here as "IPS" is terribly limited if only implemented as a standalone piece of a network security wall. Consider using IDS on lan segments comprising pieces of the inbound
and
outbound traffic lanes in a network. These system push gathered
data to
acontrol center (distributed if you can afford it). The control
center
monitors and tracks applicant data across the entire network (imagen
a
telco that might own the entire US data backbone). The control
center
might have various means of monitoring, tracking, and escalation for various in process attacks. The notion that a distributed Denial of Service cannot be stopped is a bit out of date. Many are, but it isalwaysa credible legal issue. Imagen Johhny the Scumbag, sitting in his apartment on 46th street.Startshis attack using <insert pathetic script here>, and sits back to see
the
results. 10 seconds later his cable modem stops transmitting. 20minuteslater, there is a knock on the front door; the Police would like tochat.Okay, so the police actually getting there in 20 minutes is
voyeuristic,
but it could happen, maybe... - Mark Runion "Vapor trails are what novices try to follow, though never noticed
by
thosewho do it." -----Original Message----- From: Raistlin [mailto:raistlin () gioco net] Sent: Saturday, May 22, 2004 1:49 PM To: Greg Martin; focus-ids () securityfocus com Subject: Re: Hi, I want to study IPS Greg Martin wrote: > Some vendors use a baseline of the network and takeaction if the baseline changes drasticly.Examples ?Some use a 'negative space' technique which allows only valid traffic and considers all other traffic as a dos and drops it completely.Again, examples ? IMHO IPS are nothing more than an integration of a firewall and an
IDS
concept. As such, they are rather fuzzy and vaporwar-ish enough to
be
very marketable.
------------------------------------------------------------------------ --
-
------------------------------------------------------------------------ --
-
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
<<attachment: winmail.dat>>
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: Hi, I want to study IPS (infor) urko zurutuza (Jul 13)
- RE: Hi, I want to study IPS Chris Petersen (Jul 14)
- RE: Hi, I want to study IPS Mitchell Ashley (Jul 15)
- RE: Hi, I want to study IPS Anton A. Chuvakin (Jul 15)
- <Possible follow-ups>
- RE: Hi, I want to study IPS Vincent . Maes (Jul 20)
- RE: Hi, I want to study IPS Chatprechakul Mr N (Jul 20)
- RE: Hi, I want to study IPS Chris Petersen (Jul 14)