IDS mailing list archives
Re: Firewalls (was Re: IDS evaluations procedures)
From: Jason <security () brvenik com>
Date: Tue, 26 Jul 2005 17:08:15 -0400
Sanjay Rawat wrote:
Hi RichardI am agreed on the difficulty in defining an attack properly. in fact recently i joined a company as a kind as intrusion analyst. Before that i was in academic environment doing my PhD in IDS. what i observed is that signatures are concentrating more on a particular exploit code rather than the true exploit/vulnerability. i am specifically talking about Snort signatures.
An interesting assertion. I tend to disagree. What is it that leads you to believe that Snort rules focus on exploits instead of exploitable conditions?
I feel that time has come when we should also look at some AI/data mining/ machine learning techniques to get some more insight into the attacks, as now we have high computing devices. During my research, i experimented with many such techniques, but I dont find the acceptability of such techniques in commercial products. I know i may sound more theoretical to all experienced network/system administrators, but i want to bring this issue into the focus. in this way, we can, at least, discuss the feasibility of such techniques and the problems associated with that.
Please feel free to implement and try this, I would love to see it. There have been efforts in the past which attempt to do this such as SPADE from Silicon Defense for Snort.
i am looking forward to have some response from all. thanks Sanjay
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------
Current thread:
- RE: Firewalls (was Re: IDS evaluations procedures) Biswas, Proneet (Jul 21)
- <Possible follow-ups>
- RE: Firewalls (was Re: IDS evaluations procedures) Hovis, Chris (Jul 21)
- RE: Firewalls (was Re: IDS evaluations procedures) Kyle Quest (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Martin Roesch (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Jason (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Stefano Zanero (Jul 27)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 25)
- RE: [Bulk] Re: Firewalls (was Re: IDS evaluations procedures) Bill Royds (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Omar Herrera (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 25)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 26)
- Re: Firewalls (was Re: IDS evaluations procedures) Sanjay Rawat (Jul 26)
- RE: Firewalls (was Re: IDS evaluations procedures) Swift, David (Jul 27)
- RE: Firewalls (was Re: IDS evaluations procedures) Ha, Jason (Jul 27)