IDS mailing list archives

Re: Views and Correlation in Intrusion Detection

From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 23 Jun 2003 16:26:12 -0500

How about a "user's" POV?

To be really effective, I'd like to see a system that looks at packetscoming in to the network, compares those to packets hitting specificservers, "knows" if the server is vulnerable to the specific attack and*then* sends an alert.


To do this kind of work you would need:

1) a db (A) with the info on each server - OS, applications,vulnerabilities, etc.2) a detection engine that matches the IP and attack sig to the entry inthe db (A) with its own db (B) of sigs3) an escalation procedure that recognizes that attack A was successful andattack B has begun and therefore alerts "more aggressively".

I don't want to know if an attacker is trying an overflow attack on my IMAPserver if my IMAP server isn't vulnerable to that attack. I could careless. I also don't want to know if some box somewhere with Code Red ishitting my network *unless* I have a box that's susceptible to Code Red.

So it takes a combination of knowledge to alert "intelligently". 1) Whatis the attack? 2) Is the box vulnerable to that attack? 3) Did the attackreach that box? 4) Was the attack successful?

--On Monday, June 23, 2003 02:25:40 PM -0400 "adam.w.hogan"<adam.w.hogan () delphi com> wrote:

It seems to me that this thread and the 'IDS is dead, etc' thread are
both coming to same conclusions.  Namely, much more work/research needs
to be done in event correlation to efficiently, and effectively, use an
IDS.


Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

-------------------------------------------------------------------------------

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, theworld's premier technical IT security event! 10 tracks, 15 training sessions,1,800 delegates from 30 nations including all of the top experts, from CSO's to"underground" security specialists. See for yourself what the buzz is about!Early-bird registration ends July 3. This event will sell out. www.blackhat.com

-------------------------------------------------------------------------------

Current thread:

Re: Views and Correlation in Intrusion Detection, (continued)
- Re: Views and Correlation in Intrusion Detection SecurIT Informatique Inc. (Jun 17)
- Re: Views and Correlation in Intrusion Detection DAVID MARKLE (Jun 17)
  - Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
    - RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
    - Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
    - Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
    - Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
    - RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 18)
- Re: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 23)
  - Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- Re: Views and Correlation in Intrusion Detection Randy Taylor (Jun 23)
- RE: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 25)
- RE: Views and Correlation in Intrusion Detection Schmehl, Paul L (Jun 25)
  - RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 25)
  - Re: Views and Correlation in Intrusion Detection Mike Coliton (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sakaba (Jun 26)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 26)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sekurity Wizard (Jun 26)

(Thread continues...)