Firewall Wizards mailing list archives
Re: future of IDS
From: Crispin Cowan <crispin () cse ogi edu>
Date: Tue, 20 Oct 1998 02:52:40 +0000
"Stephen P. Gibbons" wrote:
For example, wouldn't it be neat if there was a standardized, IDS-aware, and reliable way for applications to indicate that "Required authentication failed for resource X, reason Y" "Reason Y" is information that won't necessarily be available to a passive IDS, but can be used by an IDS in determining what action to take in response: extra logging, shunning, whatever.
Wouldn't it be neat if there was an IDS standard such that StackGuard-protected programs could complain about stack smashing attempts such that someone would listen?
IMHO, niether syslog nor SNMP "cut it" for this purpose.
I'm currently using syslog for this purpose. I agree, I'd rather use something else (or at least something in addition to syslog).
The IDS would not have to be taught how to decipher each new protocol, it would instead understand the standard "Hey, IDS, here's an auth-failed message, take note!"
The difficulty seems to be that there are many kinds of events to be communicated via such a protocol. For instance, some events are merely suspicious ("that looks like a similar pattern to an attack I once saw"), some events are very suspicious ("that looks EXACTLY like an attack pattern I know about"), some events are dead certain (StackGuard intrusion events), and some events have no significance at all unless taken in context (port scanning). A protocol that only allows you to report authentication failure isn't enough. The CIDF effort (http://olympus.cs.ucdavis.edu/cidf/) is trying to come to a consensus on such a protocol so that a wide variety of IDS instruments can cooperate to build something that can actually be described as an intrusion detection *system*. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98
Current thread:
- Re: future of IDS, (continued)
- Re: future of IDS David Lang (Oct 19)
- RE: future of IDS Tupshin Harper (Oct 16)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS John Ladwig (Oct 23)
- RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- Re: future of IDS Vern Paxson (Oct 16)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Crispin Cowan (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Darren Reed (Oct 19)
- Re: future of IDS Doug Hughes (Oct 23)
- Re: future of IDS Darren Reed (Oct 28)
- Re: future of IDS Doug Hughes (Oct 28)
- RFC blitzkreig server dreamwvr (Oct 23)