IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Seth Hall <hall.692 () osu edu>
Date: Thu, 19 Mar 2009 12:45:13 -0400
On Mar 19, 2009, at 11:15 AM, Ravi Chunduru wrote:
There should be some solution like web application firewalls do - deep packet inspection and protocol parsing.
That's exactly how Bro works and I've been occasionally examining various open source web application firewalls to see if I could use their techniques from an IDS context but I haven't had time yet to actually write anything beyond my script that uses a regex to catch GET based SQL injections[1]. A couple of extra nifty tricks about Bro in the context of HTTP analysis are that you can detect a number of protocols, including HTTP on any port (Dynamic Port Detection or DPD[2]). The other is that is that when Bro encounters gzipped body contents in a session, it will transparently unzip the body and pass along the uncompressed content so that your analysis scripts never even need to know about the compression.
1. http://github.com/sethhall/bro_scripts/blob/91a6a16e96ffbc563ec392d545fe688fee7bfee0/http-ext.bro 2. http://bro-ids.org/wiki/index.php/DynamicProtocolDetection .Seth --- Seth Hall Network Security - Office of the CIO The Ohio State University Phone: 614-292-9721
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Jim Sansing (Ritasa LLC) (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Raffael Marty (Mar 13)
- Exploit-based signature is dead, or not? tanyoo10 (Mar 16)
- Re: Exploit-based signature is dead, or not? Sergio 'shadown' Alvarez (Mar 16)
- Re: Exploit-based signature is dead, or not? Jackie Lai (Mar 17)
- Re: Re: Exploit-based signature is dead, or not? tanyoo10 (Mar 17)