IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Stefano Zanero <zanero () elet polimi it>
Date: Thu, 19 Mar 2009 19:47:57 +0100
Stuart Staniford wrote:
The original example was artificial, but the issue is very real.
Stuart, we are deviating from the original issue
A common obfuscation technique in javascript (more common a year or two ago) is to have something like:
[...]
A simple string matching signature mechanism is useless here (you can alert on things like "eval(unescape(" and some IDS's do, but you will false positive like crazy as legitimate pages also use the idiom).
Really, you're pushing on an open door here. My whole research life has been dedicated to anomaly detection, and I completely agree on simple pattern matching being useless against such attacks and being far from complete. I just didn't agree on the specific example raised by Damiano, as I don't see it happening anywhere in a real attack. Your example is much more compelling (and you'll find similar ones in all of my presentations, as well as Damiano's, I'm sure ;-) SZ
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 17)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)