IDS mailing list archives

Re: IDS is dead, etc

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 4 Aug 2003 07:04:49 -0400

Hi Burak,

I remember your work and it was cool stuff. RNA is significantlydifferent than just straight passive OS fingerprinting, we're buildinga persistent model of the network and applying what we've learned overtime to the data that's coming out of the NIDS. There are severalother "neat things" that RNA does that'll let it stand alone as aproduct unto itself, but when combined with NIDS it is designed toresult in better prioritization of event data, reduction inevadability/false negatives, and false positive mitigation.


      -Marty


On Tuesday, August 5, 2003, at 02:41  AM, Burak DAYIOGLU wrote:

On Sun, 2003-06-22 at 18:44, Martin Roesch wrote:
I would love to see a fingerprinting tool that identified the clientandserver Operating System / Application and reduced the priority ofalertsfor false positives when it is known that the system is notvulnerable.
The alerts still flag, so we see the drive-by-shootings, but as their
priority is reduced they are less significant.

Anyone got any development ideas on this front?
I'm working on just such a program/product called RNA (Real-timeNetworkAwareness) right now, we've got a press release outlining thetechnology(which isn't available yet) on the Sourcefire web site. I'll spareeveryonethe marketing here, if anyone wants more information just drop me anemail.
I have had implemented such an extension, as Giles refer, in 2001 to
Snort while doing my M.Sc. thesis. I have integrated p0f of Zalewski as
a preprocessor plugin to Snort to "learn" protected hosts' operating
systems. With the help of Max Vision, we have extended Snort signatures
to include proper target O.S. information.

We have had some success with the issue. Interested people can check my
thesis (http://www.dayioglu.net/publications/thesis.pdf)or the paper
about it (http://www.dayioglu.net/publications/iscis2001.pdf).

I bet Roesch has been doing much more than this... :)

with regards.
--
Burak DAYIOGLU
Consultant, Pro-G Information Security and Research Ltd.
Phone: +90 312 2101494         Fax: +90 312 2101493
http://www.pro-g.com.tr           ICQ UIN: 72276975

--
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Enterprise-class Intrusion detection built on Snort
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans

- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

Re: IDS is dead, etc Burak DAYIOGLU (Aug 05)
- Re: IDS is dead, etc Martin Roesch (Aug 05)
- Re: IDS is dead, etc David W. Goodrum (Aug 05)
  - Re: IDS is dead, etc Paul Schmehl (Aug 06)
    - Re: IDS is dead, etc Bennett Todd (Aug 06)
    - Re: IDS is dead, etc maz (Aug 07)
    - Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- <Possible follow-ups>
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
  - RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
  - Re: IDS is dead, etc Sebastian Schneider (Aug 07)
  - Re: IDS is dead, etc Barry Fitzgerald (Aug 07)

(Thread continues...)