IDS mailing list archives
Re: Looking for feedback on anomaly-based IDS systems
From: p1g <killfactory () gmail com>
Date: Wed, 9 Jan 2008 23:54:15 -0500
I run the Enterasys Dragon NBAD in conjunction with Sig Based IDS. The magic comes from the SIM. I have a Dragon Security Command Console. It correlates Sig Based IDS with the NBAD sentries. This setup allows me to correlate vulnerability information, IDS events, anomalies and syslog/event logs. I can also run reports on traffic statistics. NBAD is alot of work. I think of NBAD as reverse signature based. You dont use signature, but you do create a global signature pre se of you entire netowrk. You authorize what you know to be legit documented traffic and services. Then NBAD tells what doesn't match you baseline. I don't want to know how people ar edoing it with out this type of technology. Wasting alot of time i guess. On 1/9/08, Libershal, David M. <Dave.Libershal () jhuapl edu> wrote:
We have been using signature-based systems but now feel the need for some additional security protection that might be provided via an anomaly-based IDS system (zero day exploits, etc). I'm not experienced with anomaly-based systems and know only what I've seen on the web, or sevral years ago at some trade shows. Some seem to be focused more on network operation but also have the IDS component. At least for right now, I've been asked to look at security systems. Any good ideas, suggestions, or horror stories about anomaly-based systems that may be a help would be appreciated. Up til now I've only been saving signature related emails from this list. Thanks, Dave -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of GMail Sent: Wednesday, January 09, 2008 2:59 AM To: focus-ids () securityfocus com Subject: signature based IDS/IPS effectiveness focus-ids, How effective are signature based IDS/IPS systems on text based protocols which involves grammar like PL/SQL. Using PL/SQL I can write same query with different ways and different constructs that leads to different query patterns. So does not that mean stateless signature based IDS/IPS are useless for database servers, etc. Best Regards, Mayur ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
-- -p1g SnortCP ,,__ o" )~ oink oink ' ' ' ' If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity czar Richard Clarke ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Preventing layer 3/4 evasions Martin Roesch (Jan 07)
- Re: Preventing layer 3/4 evasions Jeremy Bennett (Jan 09)
- <Possible follow-ups>
- RE: Preventing layer 3/4 evasions Mike Barkett (Jan 07)
- signature based IDS/IPS effectiveness GMail (Jan 09)
- Re: signature based IDS/IPS effectiveness Stefano Zanero (Jan 09)
- Looking for feedback on anomaly-based IDS systems Libershal, David M. (Jan 09)
- Re: Looking for feedback on anomaly-based IDS systems p1g (Jan 10)
- Re: signature based IDS/IPS effectiveness Jamie Riden (Jan 10)
- Re: signature based IDS/IPS effectiveness GMail (Jan 10)
- RE: signature based IDS/IPS effectiveness Nelson Brito (Jan 10)
- Re: signature based IDS/IPS effectiveness Paul Schmehl (Jan 10)
- signature based IDS/IPS effectiveness GMail (Jan 09)
- Message not available
- Re: signature based IDS/IPS effectiveness Jamie Riden (Jan 10)