Re: new on IDSs (Context-awareness in IDSes)

[Umesh Shankar <ushankar () cs berkeley edu>]

Hello all,

I'm at student at UC Berkeley (my advisor is David Wagner). Vern Paxson
and I have done work on gathering and using network- and host-specific
information to disambiguate traffic, which we call "Active Mapping".
This lets us perform a more precise analysis. We have a paper coming up
at the IEEE Security (Oakland) conference. A not-quite-final version of
it is available at

http://www.cs.berkeley.edu/%7Eushankar/research/active/activemap.pdf

Feel free to contact if you have any questions or would like to try it
out.

Umesh

> Date:  Mon, 27 Jan 2003 13:33:42 -0500
> From:  "David W. Goodrum" <dgoodrum () nfr com>
> Subject:  Re: new on IDSs
> To:  Omar Herrera <oherrera () prodigy net mx>
> Cc:  focus-ids () securityfocus com
>
> Actually Omar, NFR's NID engine performs passive OS fingerprinting.  So, 
> we re-assemble fragments the same way as the destination OS, thus 
> avoiding that common problem among most other NIDS technologies.
>
> Omar Herrera wrote:
> > Dear Vladimir,
> >
> > I believe that one of the biggest limitations of NIDS the need for
> > response emulation capabilities. NIDS have to know how a particular O.S.
> > responds to certain packets in order to act accordingly and avoid
> > evasion and injection techniques; actually this need is not a limitation
> > by itself but this capability is difficult to implement.
> >
> > Not only should they consider O.S. responses, in many cases they should
> > also consider specific application responses (web servers for example).
> > So, in a big company with a huge diversity of applications and
> > configurations life won't be easy for a NIDS.
> >
> > I'm not sure of what investigation is taking place to reduce this other
> > than adding a bunch of behavior signatures but I believe that for
> > certain configurations things would be easier for a NIDS.
> >
> > For example, if the NIDS is in front of a firewall implementing
> > application gateway and circuit gateway technologies, in theory, it
> > would suffice to the NIDS to know exactly how this device handles
> > traffic at different levels. I'm not aware of a product claiming to do
> > this interaction with firewalls though (and you just can't have this
> > configuration everywhere).
> >
> > Just some thoughts,
> >
> > Omar Herrera
> >
> >
> > > hi all,
> > >
> > > I'm interested in NIDS and i was wondering if somebody could, please,
> > > answer
> > > these questions or give me some information (links, etc):
> > >
> > > 1.- Which are NIDS limitations, in addition of pattern-matching
> >
> > inherent
> >
> > > limitations?
> > >
> > > 2.- Wich technologies or investigation lines are trying to minimize or
> > > even
> > > correct this limitations?
> > >
> > > 3.- What about distributed NIDS?
> >
> >  
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003
> >  
>
>
> - -- 
> David W. Goodrum
> Senior Systems Engineer
> NFR Security
> Mobile: 703.731.3765
> Office: 240.747.3425
>
>
> ------- End of Forwarded Message