IDS mailing list archives

RE: Hi, I want to study IPS

From: Chatprechakul Mr N <n.chatprechakul () cranfield ac uk>
Date: Fri, 16 Jul 2004 16:37:30 +0100

Hello,
I think testing with dataset from place like Lincoln labs is still useful
because other people use it. So it allow you to compare the performance with
others. And the method of collecting proper traffic for testing is time
consuming and as you might have to document each attack. Using available
dataset provide quick and easy way to get your system tested. However, I
agree that dataset can be consider very old (internet time), I wish they
continue producing the dataset and keeping it up to date.

regards,
Nattapon Chatprechakul

-----Original Message-----
From: Anton A. Chuvakin [mailto:anton () chuvakin org]
Sent: 15 July 2004 11:29 PM
To: Chris Petersen
Cc: '(infor) urko zurutuza'; focus-ids () securityfocus com
Subject: RE: Hi, I want to study IPS


Hello.

Chris said:

In our experience developing technology of this type (albeit data-mining
anomoly detection software), you will need data from real networks to test
your algorithms/methods against.


It is even crazier to see a recent paper on NIDS "research" utilizing the
so-called Lincoln labs IDS testing data set only and saying "in the future
we will try it on a real network". Eeewh... the thing is centuries (eh, 5
years) old. And it is sooo easy to get real data, just sniff your
University network (if a policy allows it, of course!) and/or setup a
honeynet.

The lab data also will not provide any real test for an IDS beyond very
simple things, such as 'does it actully sniff traffic'.

Putting up a test network, with test data
does not provide a good baseline against which to evaluate the

effectiveness

of your techniques.  You need real data, with real anomalies.

Agreed 100%

Best,
-- 
Anton A. Chuvakin, Ph.D., GCIA, GCIH
     http://www.info-secure.org
   http://www.securitywarrior.com


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------


-- 
This message has been scanned for viruses and
dangerous content by the Cranfield MailScanner, and is
believed to be clean.

-- 
This message has been scanned for viruses and
dangerous content by the Cranfield MailScanner, and is
believed to be clean.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

RE: Hi, I want to study IPS (infor) urko zurutuza (Jul 13)
- RE: Hi, I want to study IPS Chris Petersen (Jul 14)
  - RE: Hi, I want to study IPS Mitchell Ashley (Jul 15)
  - RE: Hi, I want to study IPS Anton A. Chuvakin (Jul 15)
- <Possible follow-ups>
- RE: Hi, I want to study IPS Vincent . Maes (Jul 20)
- RE: Hi, I want to study IPS Chatprechakul Mr N (Jul 20)