RE: Hi, I want to study IPS

[Vincent.Maes () aps com]

Here are some real-time attack capture from DEFCON's Capture the Flag.
Real hacker...real captures...

http://www.shmoo.com/cctf/

Vince Maes


-----Original Message-----
From: Chris Petersen [mailto:chris.petersen () security-conscious com] 
Sent: Wednesday, July 14, 2004 8:02 AM
To: '(infor) urko zurutuza'; focus-ids () securityfocus com
Subject: RE: Hi, I want to study IPS


In our experience developing technology of this type (albeit data-mining
anomoly detection software), you will need data from real networks to
test your algorithms/methods against.  Putting up a test network, with
test data does not provide a good baseline against which to evaluate the
effectiveness of your techniques.  You need real data, with real
anomalies.  

If you can't get a live feed from production networks, you might try
something like tcpdump combined with tcpreplay.  It's been awhile but I
believe what I did was pump tcpdump files into a hub via tcpreplay.  I
then connected our sniffer and analysis software to the hub.  I believe
its also possible to do this without a hub where the replay system and
sniffer are one and the same.

I think the most important consideration is making sure you have a
network architecture that allows you to collect, replay, and sniff as
much traffic as possible by as many different systems as possible.

Good luck,

Chris Petersen
CTO Security Conscious, Inc.
www.logrhythm.com

-----Original Message-----
From: (infor) urko zurutuza [mailto:uzurutuza () eps mondragon edu] 
Sent: Tuesday, July 13, 2004 9:27 AM
To: focus-ids () securityfocus com
Subject: RE: Hi, I want to study IPS


Hi all,

Continuing with this questions, we are planning a laboratory for
research in the university.

Which do you think that are computer requirements for a Network based
Anomaly Detection research?



Urko

> -----Mensaje original-----
> De: Ali Rajput [mailto:arajput () hdaar com]
> Enviado el: martes, 25 de mayo de 2004 17:10
> Para: focus-ids () securityfocus com
> Asunto: Re: Hi, I want to study IPS
>
> HI,
> My name is Muhammad Ali Rajput,
> Its good to hear that you want to study IPS. One thing you can do
visit
> www.sans.org; here you can find information to get started. IPS is
> quite new concept but nothing is impossible, maybe your 20
mintue
> idea
> can work.
> Presently i am working on a host-based IDS (for Windows 2000 pro) to
> submit as a degree project.
> You can mail me back if you need any information regarding this.
>
> On Tuesday 25 May 2004 07:29, Runion Mark A FGA DOIM WEBMASTER(ctr)
wrote:
> > Vaporwar-ish, or vapor-ware-ish?
> >
> > IPS is a wonderful concept.  The few working incidents I've worked
with
> are
> > much larger scale, and use a more structured network.  The concept
> > discussed here as "IPS" is terribly limited if only implemented as a

> > standalone piece of a network security wall.
> >
> > Consider using IDS on lan segments comprising pieces of the inbound
and
> > outbound traffic lanes in a network.  These system push gathered
data to
> a
> > control center (distributed if you can afford it).  The control
center
> > monitors and tracks applicant data across the entire network (imagen
a
> > telco that might own the entire US data backbone).  The control
center
> > might have various means of monitoring, tracking, and escalation for
> > various in process attacks.  The notion that a distributed Denial of

> > Service cannot be stopped is a bit out of date.  Many are, but it is
> always
> > a credible legal issue.
> >
> > Imagen Johhny the Scumbag, sitting in his apartment on 46th street.
> Starts
> > his attack using <insert pathetic script here>, and sits back to see
the
> > results.  10 seconds later his cable modem stops transmitting.  20
> minutes
> > later, there is a knock on the front door; the Police would like to
> chat.
> > Okay, so the police actually getting there in 20 minutes is
voyeuristic,
> > but it could happen, maybe...
> >
> > -
> > Mark Runion
> >
> > "Vapor trails are what novices try to follow, though never noticed
by
> those
> > who do it."
> >
> >
> > -----Original Message-----
> > From: Raistlin [mailto:raistlin () gioco net]
> > Sent: Saturday, May 22, 2004 1:49 PM
> > To: Greg Martin; focus-ids () securityfocus com
> > Subject: Re: Hi, I want to study IPS
> >
> > Greg Martin wrote:
> >  > Some vendors use a baseline of the network and take
> > > action if the baseline changes drasticly.
> >
> > Examples ?
> >
> > > Some use a 'negative
> > > space' technique which allows only valid traffic and considers all
> > > other traffic as a dos and drops it completely.
> >
> > Again, examples ?
> >
> > IMHO IPS are nothing more than an integration of a firewall and an
IDS
> > concept. As such, they are rather fuzzy and vaporwar-ish enough to
be
> > very marketable.
------------------------------------------------------------------------
--
> -
------------------------------------------------------------------------
--
> -



------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
------------------------------------------------------------------------
--


"MMS <apsc.com>" made the following annotations.
------------------------------------------------------------------------------
--- NOTICE ---
This message is for the designated recipient only and may contain confidential, privileged or proprietary information.  
If you have received it in error, please notify the sender immediately and delete the original and any copy or 
printout.  Unintended recipients are prohibited from making any other use of this e-mail.  Although we have taken 
reasonable precautions to ensure no viruses are present in this e-mail, we accept no liability for any loss or damage 
arising from the use of this e-mail or attachments, or for any delay or errors or omissions in the contents which 
result from e-mail transmission.

==============================================================================


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------