IDS mailing list archives

RE: Bypassing "smart" IDSes with misdirected frames? (long and boring)

From: "Phil Hollows" <phil () open com>
Date: Tue, 1 Jun 2004 09:48:20 -0400

The solution to linking IDS to VM isn't SF -- it's SIM.  Security
information management products, including the one from Open (the company I
work for, FYI - http://www.open.com), correlate IDS events with VM in order
to determine how relevant an event report from an IDS is.  They also
integrate alerts from multiple IDS, FW etc., so that the false positive risk
is reduced further by looking for patterns of related events to pull threat
signal from the false positive noise.  The results can be very impressive in
terms of improved efficiency. 

Phil Hollows
VP Marketing 
OpenService (Open)
110 Turnpike Road, Suite 308 
Westborough, MA 01581 
www.open.com 


-----Original Message-----
From: Michal Melewski [mailto:mike () pn66 poznan sdi tpnet pl] 
Sent: Friday, May 28, 2004 9:34 AM
To: focus-ids () securityfocus com
Subject: Re: Bypassing "smart" IDSes with misdirected frames? (long and
boring)

Hello

From what i know you haven't discovered anything new. The problem regarding

false MAC adressing was discused in "Eluding ID systems..." from 1998.
I admit, that your aproach is more spohisticated and simple "drop all wrong
MAC adresses" wouldn't help. In my opinion solution like MAC adress based
session reasemblance can help.
Generaly IDSes should move into nearly VM that behave like system being
under
attack but in isolated enviroment and assesing all impacts. This, however is
SF for now.

(this is short version or my response because i'm in work now, extended
version comming out soon)

-- 
Michael "carstein" Melewski      |  "Humanistą był Kepler, był Liebnitz.
carstein () poznan linux org pl          |   Człowiek definiujący humanizm jako
mobile: 502 545 913              |   brak umiejętności całkowania
gpg: carstein.c.pl/carstein.txt  |   humanistą nie jest."

---------------------------------------------------------------------------

---------------------------------------------------------------------------


---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

RE: Bypassing "smart" IDSes with misdirected frames? (long and boring) Phil Hollows (Jun 01)
- <Possible follow-ups>
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) nick black (Jun 04)