IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Seth Hall <hall.692 () osu edu>
Date: Fri, 13 Mar 2009 22:00:10 -0400
Sorry to hijack this thread and throw it off in a slightly different direction, but I had some comments to slide in...
On Mar 13, 2009, at 11:13 AM, Zow Terry Brugger wrote:
Someone mentioned Bro specifically. I don't think Bro provides anything new and interesting in the signature detection realm.
I would argue that it does to some degree at least. We started running a signature recently that I wrote to detect the presence of SSN-like data in our network traffic. Where Bro's signature capabilities shine in this circumstance is that calls can be made with the content of the match out to Bro policy script code. My policy script then validates the potential matches in a list of known OSU- related SSNs which removes huge numbers of false positives without having to resort to post processing.
It reflects what I consider as the general "win" of Bro which is the domain specific language that it uses. I can't be very expressive with signatures, but with a full programming language I can be very specific with the behavior that I want to see on the network.
The real interesting things I've seen come out of Bro only used Bro for basic data collection, which an analyst was then able to find interesting patterns from. This goes strongly to Staniford's point about Paxson diving into the live data.
There is a slow progression in the Bro community toward collecting data over a period of time to indicate some activity in progress that isn't obvious from a single packet or session. We've been using a policy for over a year now that fairly quickly detects when we have someone abusing a compromised webmail account. We look into SMTP message contents to see if the mail was sent from a webmail interface based on the "X-Agent" or "User-Agent" mail headers. If it is, we keep track of how many recipients the sender has sent email to with the webmail interface and it points out people that are sending too much webmail in too short of a period of time.
Ultimately, its creating a summary of activity based on a number of sessions over a relatively long period of time.
Is there anything else available that would allow me to be as expressive as that? (this isn't a snarky question, I'm honestly curious)
.Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Jim Sansing (Ritasa LLC) (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Raffael Marty (Mar 13)
- Exploit-based signature is dead, or not? tanyoo10 (Mar 16)
- Re: Exploit-based signature is dead, or not? Sergio 'shadown' Alvarez (Mar 16)
- Re: Exploit-based signature is dead, or not? Jackie Lai (Mar 17)
- Re: Re: Exploit-based signature is dead, or not? tanyoo10 (Mar 17)
- RE: Exploit-based signature is dead, or not? Addepalli Srini-B22160 (Mar 17)
- Re: Exploit-based signature is dead, or not? Joel Esler (Mar 30)