Firewall Wizards mailing list archives

Re: Intrusion Detection

From: Aleph One <aleph1 () dfw net>
Date: Wed, 15 Apr 1998 19:46:04 -0500 (CDT)

On Wed, 15 Apr 1998, Marcus J. Ranum wrote:

I dunno how many of the folks on this list remember Fred Cohen's
"intrusion detection" system that he used to run on all.net. If
you tried to Telnet to his system, it would look up the registered
contact for your domain and E-mail them a nastygram that someone
had just tried to break in to his system from your workstation.


I certainly do. I also remember how people created web pages with an
embedded telnet:all.net link for people to stumble on. Everyone (except
Fred maybe) got a kick out of it.

I'm starting to convince myself that I want to implement IDS
as policy-based traps (a la Raiders of the Lost Ark -- if someone
runs teardrop on me I want a big rock to fall on them) backed
with passive sensors (microwave/PIR packet suckers) to catch
anything that sneaks past. There are so many physical security
analogies for how to do this right -- it's all beginning to come
clear for me now.


This is in essence and IDS that is both a static ADS and MDS.
The ADS part looks for network activity that does not match its profile of
the network (your policy). Its static because it does not learn this
policy from the network but from the configuration interface. The MDS part
is what looks for attack signatures. This may be part both of the traffic
that matches your network profile and that which does not. 

The MDS should attempt to determine if the attack is has just detected has
been successful or not. This is simple to know in certain attacks (DoS,
buffer overflows, etc) and more difficult in others. The IDS would
classify events into either warning or alarms. Any breach of your network
profile or an attack signature match that was or may have been successful
would be reported as an alarm. Unsuccessful attacks would be warnings.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr


Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Re: Intrusion Detection, (continued)
- - - Re: Intrusion Detection Adam Shostack (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 14)
    - Re: Intrusion Detection Aleph One (Apr 14)
    - Re: Intrusion Detection Adam Shostack (Apr 15)
    - Re: Intrusion Detection M. Dodge Mumford (Apr 14)
    - Re: Intrusion Detection emaiwald (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 15)
    - Re: Intrusion Detection Aleph One (Apr 15)
    - Re: Intrusion Detection emaiwald (Apr 17)
    - Re: Intrusion Detection Mark Horn [ Net Ops ] (Apr 20)
    - Re: Intrusion Detection Marcus J. Ranum (Apr 20)
- Re: Intrusion Detection tqbf (Apr 14)
- Re: Intrusion Detection HSKarim (Apr 15)
- RE: Intrusion Detection Gary Crumrine (Apr 15)
  - Re: Intrusion Detection darrenr (Apr 15)
  - Re: Intrusion Detection Tina Bird (Apr 15)
  - RE: Intrusion Detection Marcus J. Ranum (Apr 15)
- RE: Intrusion Detection Wright, Steven (Apr 15)

(Thread continues...)