IDS mailing list archives
RE: Firewall Activity analysis
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Wed, 11 Dec 2002 15:58:11 -0500 (EST)
All,
discovering new attacks/attackers. Anomaly detection via statistical analysis would be an effective method for discovering these new attacks.
Well, isn't it one of those things that is mentioned much more often that it is implemented? Many people say its a good idea to have a full-blown anomaly detection running on log data and even more people agree with those saying that :-) However, anomaly detection is kinda lacking even for the packet-level stuff (which is more rigid in format than system logs). Many discussions on Tina Bird log-analysis list happen around this very topic - and there doesn't seem to be any meaningful bottom line [yet]. And the dangerous thing about jumping in and implementing some simple rules (such as "connection failed -> conn successful"), might create a nice little (well, BIG actually!) "false-positive machine" and NIDS systems already provide plenty of that. Discovering new attacks via statistical anomalies sounds prmising, but what is the evidence to suggest that those new attacks will be in the log files in the first place? (see, e.g. http://www.immunitysec.com/dailydave/9.24.2002.html) Best, -- Anton A. Chuvakin, Ph.D., GCIA http://www.chuvakin.org http://www.info-secure.org
Current thread:
- Firewall Activity analysis Terry Ziemniak (Dec 11)
- <Possible follow-ups>
- RE: Firewall Activity analysis Matthew F. Caldwell (Dec 11)
- RE: Firewall Activity analysis Anton A. Chuvakin (Dec 11)
- Re: Firewall Activity analysis Matt Harris (Dec 11)
- RE: Firewall Activity analysis Anton A. Chuvakin (Dec 11)
- RE: Firewall Activity analysis Matthew F. Caldwell (Dec 12)
- RE: Firewall Activity analysis Anton Chuvakin (Dec 12)
- H/N IPS -what is there? Talisker (Dec 12)
- RE: Firewall Activity analysis Anton Chuvakin (Dec 12)