Re: IDS Signature Confidence

[Nick Black <dank () reflexsecurity com>]

THolman () toplayer com rigorously showed:
> If a DoS attack is made up of valid traffic, then a NIDS signature isn't
> going to pick it up.
> You need to establish whether or not incoming traffic from individual IPs
> meets acceptable transaction rates, and this is really a job for a
> rate-based IPS.

This seems a stunningly narrow view of a "signature"; I'm surprised 
to see the source (I generally find myself nodding and smiling as I read
your posts!) Snort's "rate" and "burst" keywords provide a (simplistic)
rate limiting as an obvious example. By making available more information
from one's connection tracking, etc to the signature language,
"signatures" can be used quite effectively to detect DoS patterns of the
type you describe.

Essentially, if a "signature" can both a) access all state available to
the I[DP]S, and b) be expressed to the signature engine using a language
strong enough to describe arbitrary [0] operations on this state, it's 
as powerful as any other code the system could employ (All hail the
Church-Turing thesis!) If an IPS provides signature writers just as much
flexibility as it does core designers to perform detection, is that a
rate-based IPS or a sig-based IPS? I'm appalled that these terms are
still bantered about when languages could be getting fixed instead.

Mark Teicher made a similar point earlier in the thread, but that 
post suffered from being far too readable and containing a paucity
of complexity theory gobbledygook :).

[0] for values of "arbitrary" bounded by "recursively enumerable", of
course, but we're among friends.

-- 
nick black          "np:  the class of dashed hopes and idle dreams."

Attachment: signature.asc
Description: Digital signature