IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anomaly based network IDS

From: Brian Hernacki <bhern () meer net>
Date: Thu, 03 Apr 2003 09:42:56 -0800



How does it determine what is suspicious?
The detection logic of the 'compliant but suspicious' subset of the protocol anomaly detection is generally built based on manual analysis. 
There are several ways to determine cases which are compliant but still worth alerting on (even though you don't *know* it's a 
particular exploit). Sometimes we will examine a protocol for obvious points of attack. Other times we may examine a class of exploits or 
even applications and create logic to detect those types of attacks more generically. Often these 'gaps' are created by grey 
areas in protocol specifications or differences between specification and implementation.
ManHunt also applies similar logic in it's other detection mechanisms (e.g. traffic monitoring and anlysis). 
--brian
brian_hernacki () symantec com




-----------------------------------------------------------
ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis
Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. 
http://www.spidynamics.com/mktg/webappsecurity71
Previous By Date Next
Previous By Thread Next

Current thread: