IDS mailing list archives
Re: Anomaly Based Network IDS
From: "Drew Simonis" <simonis () myself com>
Date: Thu, 24 Jun 2004 07:43:22 -0500
Barry Fitzgerald wrote: I'm going to go out on a limb and state that it's far less likely that a real 0-day will ever generate significantly abundant anomolies in the network traffic, in particular if it's designed well and if the attacker is careful about how they carry out their attack.
I wonder why volume of anomolies is a point of consideration here. As I have stated, I am a user of Mazu Network's Profiler product (and have been since early December). This product features the ability to compare network traffic against a evolving baseline, which would allow me to, for example, instantly detect traffic to a port on a machine that wasn't there before. The implications are (to me, anyway) obvious. In my experience, an exploited machine usually begins listening on a new port. For example, if I exploit a webserver, I may have a listener on a high port so that I may connect in and do my thing. It isn't likely that I'd use 80/tcp as my listener, as that would make detection trivial (i.e. my webserver isn't serving!). As soon as a connection to this listener is made, I get an alert. If a host starts communicating with other hosts that it traditionally doesn't, I can get an alert. If a server stops receiving traffic on a port, or traffic falls below a threshold, I can get an alert. The point is, while the initial attack vector may not generate alertable activity, in most cases the utilization of the attacked host would, and that is the value I see. -Ds --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Anomaly Based Network IDS, (continued)
- Re: Anomaly Based Network IDS Adam Powers (Jun 24)
- RE: Anomaly Based Network IDS David J. Meltzer (Jun 22)
- RE: Anomaly Based Network IDS crayola (Jun 22)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 24)
- RE: Anomaly Based Network IDS Wozny, Scott (US - New York) (Jun 23)
- Re: Anomaly Based Network IDS Ramoni (Jun 24)
- RE: Anomaly Based Network IDS christian graf (Jun 24)
- RE: Anomaly Based Network IDS Drew Copley (Jun 23)
- RE: Anomaly Based Network IDS Drew Copley (Jun 24)
- Re: Anomaly Based Network IDS Drew Simonis (Jun 24)
- Re: Anomaly Based Network IDS Barry Fitzgerald (Jun 25)
- RE: Anomaly Based Network IDS Drew Copley (Jun 25)
- Re: Anomaly Based Network IDS Bharat Bhushan (Jun 25)
- Re: Anomaly Based Network IDS Thiago dos Santos Guzella (Jun 29)
- RE: Anomaly Based Network IDS Bharat Bhushan (Jun 29)