IDS mailing list archives
RE: Bypassing "smart" IDSes with misdirected frames? (long and boring)
From: "Phil Hollows" <phil () open com>
Date: Tue, 1 Jun 2004 09:48:20 -0400
The solution to linking IDS to VM isn't SF -- it's SIM. Security information management products, including the one from Open (the company I work for, FYI - http://www.open.com), correlate IDS events with VM in order to determine how relevant an event report from an IDS is. They also integrate alerts from multiple IDS, FW etc., so that the false positive risk is reduced further by looking for patterns of related events to pull threat signal from the false positive noise. The results can be very impressive in terms of improved efficiency. Phil Hollows VP Marketing OpenService (Open) 110 Turnpike Road, Suite 308 Westborough, MA 01581 www.open.com -----Original Message----- From: Michal Melewski [mailto:mike () pn66 poznan sdi tpnet pl] Sent: Friday, May 28, 2004 9:34 AM To: focus-ids () securityfocus com Subject: Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Hello
From what i know you haven't discovered anything new. The problem regarding
false MAC adressing was discused in "Eluding ID systems..." from 1998. I admit, that your aproach is more spohisticated and simple "drop all wrong MAC adresses" wouldn't help. In my opinion solution like MAC adress based session reasemblance can help. Generaly IDSes should move into nearly VM that behave like system being under attack but in isolated enviroment and assesing all impacts. This, however is SF for now. (this is short version or my response because i'm in work now, extended version comming out soon) -- Michael "carstein" Melewski | "Humanistą był Kepler, był Liebnitz. carstein () poznan linux org pl | Człowiek definiujący humanizm jako mobile: 502 545 913 | brak umiejętności całkowania gpg: carstein.c.pl/carstein.txt | humanistą nie jest." --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Bypassing "smart" IDSes with misdirected frames? (long and boring) Phil Hollows (Jun 01)
- <Possible follow-ups>
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) nick black (Jun 04)