Dailydave mailing list archives
Re: Arbor-con
From: dave <dave () immunitysec com>
Date: Wed, 21 Jul 2004 07:57:38 -0400
Andre Gironda wrote:
Well, combine it with any half-assed algorithm that does worm detection first - any sort of modeling and heuristics or basic pattern matching algo will work. Do it on a per-port (or per RPC service) basis.On Tue, 20 Jul 2004 17:51:56 -0400, dave <dave () immunitysec com> wrote:The use case is fairly interesting, and obviously applicable to traditional intrusion detection/prevention. I think there are other avenues that wern't discussed, of course, like automated attack/worm packet signature development and deployment. (hmm. This host A seems infected, it spewed string ABCD at host B. Then host B started doing the same thing. Let's block all packets with string ABCD on that port from any host to any host).Hrmn... sounds too much like Bittorrent or a bunch of production SQL servers talking. Do you have a good example of how that might work?
So the code looks like this: if worm_trigger_reached:sigs=scan_non_baselined_packets_for_sigs() #generate a list of signatures by comparing packets filter_and_check_baselined_packets_for_sigs(sigs) #make sure we wouldn't block good packets and delete any sigs that do
apply_new_sigs(sigs) Won't catch SSL/ipsec worms though. -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Arbor-con dave (Jul 20)
- Re: Arbor-con David Maynor (Jul 20)
- Re: Arbor-con ned (Jul 21)
- Re: Arbor-con dave (Jul 21)
- Re: Arbor-con Andre Gironda (Jul 21)
- Re: Arbor-con dave (Jul 21)