Re: how to do intrusion detection right

From: Sheila Or Bob (depends on who is writing) (shsrmsat_private)
Date: Sat Apr 18 1998 - 06:29:29 PDT

Next message: Joe Ippolito: "RE: Controlling outbound access to the firewall"

Previous message: Joe Ippolito: "RE: ms proxy 2.0 again"
Maybe in reply to: Marcus J. Ranum: "how to do intrusion detection right"
Next in thread: Gary Crumrine: "RE: how to do intrusion detection right"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nicholas Charles Brawn wrote:
> 
> Would you then not run the risk of attackers masking hostile traffic by
> making it appear to look "expected"?
> 
> Nicholas Brawn

Exactly!  The gabriel and other scan detectors are easily defeated by a
patient low level attack - spread things over a time period that is
beyond their threshhold, do things aperiodically.
Sometimes humans can discern something is out of the ordinary. 
Sometimes they can't.

In the event of establishing a profile of the net "what is normal
traffic" with a new IDS, they can be confused with what I call white
noise.  so that things look like they are expected! 
bob

> 
> --
> Email: ncb05at_private
> Nicholas Brawn - Computer Science Undergraduate, University of Wollongong.
> 
> On Thu, 16 Apr 1998, George J. Dolicker wrote:
> 
> > I think perhaps what the intrusion detection system might do is not look
> > for something "interesting", but rather something "different".  Rather than
> > trying to define what is a problem, define what is NOT a problem... so
> > configure the IDS to smile upon traffic that is expected, and panic over
> > anything else.
> >
> > Same principal we use in firewalling:  that which is not explictly
> > permitted is denied.
> >
> > G.
> >
> > At 12:02 PM 4/16/98 MDT, Martin W Freiss wrote:
> > >When the administrator can tailor the IDS to unacceptable/interesting
> > >stuff on the net, what he does is transfer his own mindset about security
> > >to the IDS. I then have a machine that "thinks" like me, which thus alerts
> > >me about facts that I am already aware of - a useful thing that may save
> > >some work, but will not help me notice next week's bug being exploited.
> > >
> > >I may be stupid, but what is "interesting" is something I do not know
> > >before an intrusion attempt.
> > >Tomorrow's attack may use some technique that is "obviously" safe today,
> > >thus bypassing my (human or computer) filtering layer. Using a sufficiently
> > >"new" technique, my firewall will probably not notice that it has been
> > >broached. What _can_ help me is having a complete log of everything that
> > >has been going through the network, which I can then analyze to understand
> > >what has happened. An intrusion analysis system, if you will - which
> > >so far includes a large human component.
> > >
> > >-Martin
> > >
> >
> >

-- 
real address is shsrms at erols dot com
The Herbal Gypsy and the Tinker.

Next message: Joe Ippolito: "RE: Controlling outbound access to the firewall"
Previous message: Joe Ippolito: "RE: ms proxy 2.0 again"
Maybe in reply to: Marcus J. Ranum: "how to do intrusion detection right"
Next in thread: Gary Crumrine: "RE: how to do intrusion detection right"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:28 PDT