IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Mon, 16 Mar 2009 18:39:26 +0000
--On Saturday, March 14, 2009 01:58:22 +0100 Damiano Bolzoni <damiano.bolzoni () utwente nl> wrote:
On 13/03/2009 21.05, Paul Palmer wrote:So, for example, in some (well, at least one) IDS products, the signature writer can write a single signature to recognize attempts to exploit a vulnerability in a data structure embedded within a Quicktime Movie file even before he knows how the attacker will encode the exploit.Paul, I think the IDS you're talking about is unique (so far), and I believe I know which one you're referring to :) To go back to Terry's question, Paul's example shows something that you cannot really do right now with Snort. You would need to rewrite the detection engine from scratch, in particular the regular expression engine (I won't mention the details, but the whole thing is related with grammar and automaton theory). We had a similar case when monitoring a network with an anomaly-based NIDS. Snort was able to detect only one instance of the attack, while the anomaly-based NIDS detected all the attack instances. To achieve the same detection rate with Snort, we should have written another 255 rules...which would have make the whole system just run slower (and to detect just one attack!)... Signature-based IDSs are moving towards vulnerability signatures, because their application is of great interest especially for IPS vendors. However, the power of vulnerability signatures has not been fully explored yet.
Unless you can be more specific, I'm going to call your claim bogus. It is entirely possible to write one snort signature that will detect *every* instance of an attempt to overflow a buffer in a particular applicaiton no matter what the attack "signature" is. You just have to understand the snort logic and syntax and understand packet analysis well enough.
Your comment seems based upon the run of the mill signatures routinely submitted by average joe's trying to give back to the community.
And yes, I know exactly which IDS you're referring to. They also claim to have the best vulnerability scanner on the market - one we found so useless we trashed it after spending ridiculous amounts of money and insance amounts of effort trying to get it to work. If that's any indication of how well their IDS works, I wouldn't give it the time of day, much less a fair evaluation.
-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* Check the headers before clicking on Reply.
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 13)
- Re: Intrusion Detection Evaluation Datasets "Zow" Terry Brugger (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 13)
- Message not available
- Re: Intrusion Detection Evaluation Datasets "Zow" Terry Brugger (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Paul Palmer (Mar 13)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 20)