IDS mailing list archives
Re: IDS Signature Confidence
From: Nick Black <dank () reflexsecurity com>
Date: Sat, 23 Jul 2005 06:33:55 -0400
THolman () toplayer com rigorously showed:
If a DoS attack is made up of valid traffic, then a NIDS signature isn't going to pick it up. You need to establish whether or not incoming traffic from individual IPs meets acceptable transaction rates, and this is really a job for a rate-based IPS.
This seems a stunningly narrow view of a "signature"; I'm surprised to see the source (I generally find myself nodding and smiling as I read your posts!) Snort's "rate" and "burst" keywords provide a (simplistic) rate limiting as an obvious example. By making available more information from one's connection tracking, etc to the signature language, "signatures" can be used quite effectively to detect DoS patterns of the type you describe. Essentially, if a "signature" can both a) access all state available to the I[DP]S, and b) be expressed to the signature engine using a language strong enough to describe arbitrary [0] operations on this state, it's as powerful as any other code the system could employ (All hail the Church-Turing thesis!) If an IPS provides signature writers just as much flexibility as it does core designers to perform detection, is that a rate-based IPS or a sig-based IPS? I'm appalled that these terms are still bantered about when languages could be getting fixed instead. Mark Teicher made a similar point earlier in the thread, but that post suffered from being far too readable and containing a paucity of complexity theory gobbledygook :). [0] for values of "arbitrary" bounded by "recursively enumerable", of course, but we're among friends. -- nick black "np: the class of dashed hopes and idle dreams."
Attachment:
signature.asc
Description: Digital signature
Current thread:
- RE: IDS Signature Confidence THolman (Jul 21)
- RE: IDS Signature Confidence Mark Teicher (Jul 22)
- Re: IDS Signature Confidence Nick Black (Jul 25)
- <Possible follow-ups>
- RE: IDS Signature Confidence Mike Murray (Jul 22)
- RE: IDS Signature Confidence Mark Teicher (Jul 27)