Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Barney Wolff <barney () databus com>
Date: Thu, 19 Feb 1998 17:36 EST
From: tqbf () secnet com Date: Wed, 18 Feb 1998 17:17:37 -0600 (CST) The reason that we claim this information is critical to accurate protocol analysis and session reconstruction is simple. Two different operating systems may process and reconstruct the same stream of traffic differently. For instance, Windows NT 4.0 and FreeBSD 2.2 will reconstruct two entirely different IP datagrams given the exact same stream of IP fragments. A passive ID system cannot possibly know which reassembly is correct without either knowing the operating system is running at the destination or analyzing every possible interpretation of those fragments.
But why would it need to? Overlapping fragments are "never" produced by accident or misconfiguration, and can therefore always be taken as an attack signature. Are you really intending to say that if I'm dumb enough to use an attack that works on OS-X against a host running OS-Y, the IDS should ignore me until I smarten up? It might not page somebody, but it surely should at least count me. What's being missed here, imho, is that the great majority of attacks use packets/streams that lie far outside the boundaries of legitimate use, despite perhaps being legal IP or TCP. As with firewalls, it can be useful to think about IDS as "deny what I don't recognize as permitted" rather than "permit what I don't recognize as denied". Products that trade off the false alarm rate vs the missed attack rate in different ways can compete in the marketplace, without being in any universal sense fatally flawed. Barney Wolff <barney () databus com>
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Paul McNabb (Feb 18)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 18)
- Re: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 18)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 19)
- Re: Important Comments re: INtrusion Detection Jonathan Care (Feb 19)
- Re: Important Comments re: INtrusion Detection Michael T. Stolarchuk (Feb 19)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
- Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 20)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Vern Paxson (Feb 21)