Vulnerability Development mailing list archives
Re: Thinking about Security rules...
From: Geoff Galitz <galitz () chem berkeley edu>
Date: Tue, 14 May 2002 11:15:51 -0700
Hiya, Hmmm... this does sound like a good topic for a paper. ;) I suspect you won't find anything that directly addresses your issues on a generic level, but you can look at individual IDS' with response capabilities. These include; - dynamic routing adjustments (host or router) - dynamic service wrapping adjustments (host) And reading old archives about what can happen when you have active host response versus passive host response. You will find, I think, that if you draw closer to what you are looking for, you find yourself tied to certain technologies. There is nothing wrong with that in general, but is something to be aware of. Some of standard message passing system aimed directly at this need would be nice, and I think it has been tried, but to my knowledge there is nothing out there that allows for complete freedom without a lot of development work on the part of your own organization. One last note... I was working on something like this at one point, myself. It was some snort sensors dumping events into a MySQL database with some perl scripts which did some analysis and also some follow-up measures (completely within our own network) to determine if there was any change to the host after the event was logged). I didn't get a lot help and other things needed to be done around here, so the project kind of went into hiatus. The goal was come up with an automated system that did some analysis to determine what would be a false alarm, what would be a particularly vulnerable system or network, along with some other tracking issues which are not purely security related (DNS management and tracking). It is probably more focused than what you are looking for, but feel free to take a look at these old web pages. Note that they are way out of data and really online for archival purposes more than anything else. If you (or anyone else) wants any other bits that are there or wants to help pick up the ball again, just drop me a letter. Here is the URL: http://www.cchem.berkeley.edu/College/unix/proj/ -geoff On Tuesday, May 14, 2002, at 10:54 AM, Rhino Bond wrote:
Folks, Just to clarify what we are looking for. We know how to configure all the seperate parts (routers, firewalls, IDS, etc.). We were wondering if anyone ever wrote a white paper on creating an engine to automate/manage all the individual parts. So far I have found nothing. This is a Herculian project I think... However I want to thank everyone for their contributions to this tread, they were all very interesting.
---------------------------------------------------------------------------------------------- "Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music." - Kristian Wilson, CEO, Nintendo Gaming Corporation, Inc, 1989
Current thread:
- Thinking about Security rules... Rhino Bond (May 08)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- RE: Thinking about Security rules... Sean Convery (May 09)
- Re: Thinking about Security rules... f.harster (May 09)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... f.harster (May 10)
- Re: Thinking about Security rules... Harvey Newstrom (May 10)
- Re: Thinking about Security rules... Geoff Galitz (May 13)
- Re: Thinking about Security rules... Rhino Bond (May 14)
- Re: Thinking about Security rules... Geoff Galitz (May 14)
- Re: Thinking about Security rules... Ray Parks (May 09)
- Re: Thinking about Security rules... Peter Kristolaitis (May 08)
- <Possible follow-ups>
- RE: Thinking about Security rules... Mendoza Bazan, Luis - (Per) (May 14)
- Re: Thinking about Security rules... David Hawley (May 14)