Re: Looking for feedback on anomaly-based IDS systems

[p1g <killfactory () gmail com>]

I run the Enterasys Dragon NBAD in conjunction with Sig Based IDS.

The magic comes from the SIM. I have a Dragon Security Command Console.
It correlates Sig Based IDS with the NBAD sentries.

This setup allows me to correlate vulnerability information, IDS
events, anomalies and syslog/event logs.

I can also run reports on traffic statistics.

NBAD is alot of work.

I think of NBAD as reverse signature based. You dont use signature,
but you do create a global signature pre se of you entire netowrk.

You authorize what you know to be legit documented traffic and
services. Then NBAD tells what doesn't match you baseline.

I don't want to know how people ar edoing it with out this type of technology.
Wasting alot of time i guess.





On 1/9/08, Libershal, David M. <Dave.Libershal () jhuapl edu> wrote:
>  We have been using signature-based systems but now feel the need for
> some additional security protection that might be provided via an
> anomaly-based IDS system (zero day exploits, etc).
>
> I'm not experienced with anomaly-based systems and know only what I've
> seen on the web, or sevral years ago at some trade shows. Some seem to
> be focused more on network operation but also have the IDS component. At
> least for right now, I've been asked to look at security systems.
>
> Any good ideas, suggestions, or horror stories about anomaly-based
> systems that may be a help would be appreciated. Up til now I've only
> been saving signature related emails from this list.
>
> Thanks,
> Dave
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of GMail
> Sent: Wednesday, January 09, 2008 2:59 AM
> To: focus-ids () securityfocus com
> Subject: signature based IDS/IPS effectiveness
>
> focus-ids,
>
>        How effective are signature based IDS/IPS systems on text based
> protocols which involves grammar like PL/SQL. Using PL/SQL I can write
> same query with different ways and different constructs that leads to
> different query patterns. So does not that mean stateless signature
> based IDS/IPS are useless for database servers, etc.
>
> Best Regards,
> Mayur
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------


-- 
-p1g
SnortCP
  ,,__
o"     )~  oink oink
   ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------