IDS mailing list archives

RE: Hi, I want to study IPS

From: "Chris Petersen" <chris.petersen () security-conscious com>
Date: Wed, 14 Jul 2004 09:01:48 -0600

In our experience developing technology of this type (albeit data-mining
anomoly detection software), you will need data from real networks to test
your algorithms/methods against.  Putting up a test network, with test data
does not provide a good baseline against which to evaluate the effectiveness
of your techniques.  You need real data, with real anomalies.  

If you can't get a live feed from production networks, you might try
something like tcpdump combined with tcpreplay.  It's been awhile but I
believe what I did was pump tcpdump files into a hub via tcpreplay.  I then
connected our sniffer and analysis software to the hub.  I believe its also
possible to do this without a hub where the replay system and sniffer are
one and the same.

I think the most important consideration is making sure you have a network
architecture that allows you to collect, replay, and sniff as much traffic
as possible by as many different systems as possible.

Good luck,

Chris Petersen
CTO Security Conscious, Inc.
www.logrhythm.com

-----Original Message-----
From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] 
Sent: Tuesday, July 13, 2004 9:27 AM
To: focus-ids () securityfocus com
Subject: RE: Hi, I want to study IPS


Hi all,

Continuing with this questions, we are planning a laboratory for research in
the university.

Which do you think that are computer requirements for a Network based
Anomaly Detection research?



Urko

-----Mensaje original-----
De: Ali Rajput [mailto:arajput () hdaar com]
Enviado el: martes, 25 de mayo de 2004 17:10
Para: focus-ids () securityfocus com
Asunto: Re: Hi, I want to study IPS

HI,
My name is Muhammad Ali Rajput,
Its good to hear that you want to study IPS. One thing you can do

visit

www.sans.org; here you can find information to get started. IPS is 
quite new concept but nothing is impossible, maybe your 20

mintue

idea
can work.
Presently i am working on a host-based IDS (for Windows 2000 pro) to 
submit as a degree project.
You can mail me back if you need any information regarding this.

On Tuesday 25 May 2004 07:29, Runion Mark A FGA DOIM WEBMASTER(ctr)

wrote:

Vaporwar-ish, or vapor-ware-ish?

IPS is a wonderful concept.  The few working incidents I've worked

with

are

much larger scale, and use a more structured network.  The concept 
discussed here as "IPS" is terribly limited if only implemented as a 
standalone piece of a network security wall.

Consider using IDS on lan segments comprising pieces of the inbound

and

outbound traffic lanes in a network.  These system push gathered

data to

control center (distributed if you can afford it).  The control

center

monitors and tracks applicant data across the entire network (imagen

telco that might own the entire US data backbone).  The control

center

might have various means of monitoring, tracking, and escalation for 
various in process attacks.  The notion that a distributed Denial of 
Service cannot be stopped is a bit out of date.  Many are, but it is

always

a credible legal issue.

Imagen Johhny the Scumbag, sitting in his apartment on 46th street.

Starts

his attack using <insert pathetic script here>, and sits back to see

the

results.  10 seconds later his cable modem stops transmitting.  20

minutes

later, there is a knock on the front door; the Police would like to

chat.

Okay, so the police actually getting there in 20 minutes is

voyeuristic,

but it could happen, maybe...

-
Mark Runion

"Vapor trails are what novices try to follow, though never noticed

by

those

who do it."


-----Original Message-----
From: Raistlin [mailto:raistlin () gioco net]
Sent: Saturday, May 22, 2004 1:49 PM
To: Greg Martin; focus-ids () securityfocus com
Subject: Re: Hi, I want to study IPS

Greg Martin wrote:
 > Some vendors use a baseline of the network and take


action if the baseline changes drasticly.


Examples ?

Some use a 'negative
space' technique which allows only valid traffic and considers all 
other traffic as a dos and drops it completely.


Again, examples ?

IMHO IPS are nothing more than an integration of a firewall and an

IDS

concept. As such, they are rather fuzzy and vaporwar-ish enough to

be

very marketable.

------------------------------------------------------------------------
--

------------------------------------------------------------------------
--




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn
more.
--------------------------------------------------------------------------

<<attachment: winmail.dat>>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

RE: Hi, I want to study IPS (infor) urko zurutuza (Jul 13)
- RE: Hi, I want to study IPS Chris Petersen (Jul 14)
  - RE: Hi, I want to study IPS Mitchell Ashley (Jul 15)
  - RE: Hi, I want to study IPS Anton A. Chuvakin (Jul 15)
- <Possible follow-ups>
- RE: Hi, I want to study IPS Vincent . Maes (Jul 20)
- RE: Hi, I want to study IPS Chatprechakul Mr N (Jul 20)