IDS mailing list archives
RE: IDS evaluations procedures
From: "Sames, David" <David.Sames () sparta com>
Date: Wed, 13 Jul 2005 14:17:35 -0400
<<< David, addressing your original question... (which, incidentally, was about INTERNAL attack traffic, not Internet Storm Center quality stuff that's randomly hitting the outside of your firewall), we'll need a few extra data points.
Okay - right - more details. We haven't exactly figured out all the possible deployment details yet. It's an internal R&D project that came up with an interesting set of algorithms for determining anomalies, based on the stream of packet data. It basically takes in the bit stream as a whole and does it's computations over that. <<< 1. What are you testing for? Traffic-based anomalies? Application level RFC violations and anomalies? Relational-modeling anomalies? Behavioral-anomalies?
I think I answered that - it's traffic-based anomalies. << 2. What collection mechanism is employed? NetFlow? sFlow? Ethernet Frames? Other?
(full) Packet data in its raw form converted to a stream. << 3. Are you only interested in classic "attacks" (fire up Nessus, see what happens) or other anomalies such as malfunctioning applications, policy-driven anomalies, etc?
Primarily concerned with malicious activity in this order: worms, viruses, DOS, "penetration attempts'. << -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS evaluations procedures david . sames (Jul 12)
- Re: IDS evaluations procedures Joel Esler (Jul 13)
- Re: IDS evaluations procedures Fergus Brooks (Jul 15)
- Re: IDS evaluations procedures Whodini (Jul 15)
- <Possible follow-ups>
- RE: IDS evaluations procedures THolman (Jul 13)
- RE: IDS evaluations procedures THolman (Jul 13)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- Re: IDS evaluations procedures Justin . Ross (Jul 17)
- RE: IDS evaluations procedures Omar Herrera (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 15)
- RE: IDS evaluations procedures Sames, David (Jul 15)
- RE: IDS evaluations procedures Nathan Davidson (Jul 17)
- Re: IDS evaluations procedures Adam Powers (Jul 17)
- Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 18)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 20)
- Re: Firewalls (was Re: IDS evaluations procedures) Devdas Bhagat (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 22)
- Re: Firewalls (was Re: IDS evaluations procedures) Nick Black (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Richard Bejtlich (Jul 21)
- Re: Firewalls (was Re: IDS evaluations procedures) Fergus Brooks (Jul 22)
- RE: Firewalls (was Re: IDS evaluations procedures) Mike Barkett (Jul 22)