IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IDS evaluations procedures

From: "Sames, David" <David.Sames () sparta com>
Date: Wed, 13 Jul 2005 14:17:35 -0400

<<<
David, addressing your original question... (which, incidentally, was
about
INTERNAL attack traffic, not Internet Storm Center quality stuff that's
randomly hitting the outside of your firewall), we'll need a few extra
data
points.




Okay - right - more details. We haven't exactly figured out all the
possible deployment details yet. It's an internal R&D project that came
up with an interesting set of algorithms for determining anomalies,
based on the stream of packet data. It basically takes in the bit stream
as a whole and does it's computations over that.  

<<<

1. What are you testing for? Traffic-based anomalies? Application level
RFC
violations and anomalies? Relational-modeling anomalies?
Behavioral-anomalies?



I think I answered that - it's traffic-based anomalies.

<<
2. What collection mechanism is employed? NetFlow? sFlow? Ethernet
Frames?
Other?



(full) Packet data in its raw form converted to a stream. 

<<
3. Are you only interested in classic "attacks" (fire up Nessus, see
what
happens) or other anomalies such as malfunctioning applications,
policy-driven anomalies, etc?



Primarily concerned with malicious activity in this order: worms,
viruses, DOS, "penetration attempts'.
<<




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: