IDS mailing list archives
Re: IDS is dead, etc
From: Burak DAYIOGLU <burak.dayioglu () pro-g com tr>
Date: 05 Aug 2003 09:41:26 +0300
On Sun, 2003-06-22 at 18:44, Martin Roesch wrote:
I would love to see a fingerprinting tool that identified the client and server Operating System / Application and reduced the priority of alerts for false positives when it is known that the system is not vulnerable. The alerts still flag, so we see the drive-by-shootings, but as their priority is reduced they are less significant. Anyone got any development ideas on this front?I'm working on just such a program/product called RNA (Real-time Network Awareness) right now, we've got a press release outlining the technology (which isn't available yet) on the Sourcefire web site. I'll spare everyone the marketing here, if anyone wants more information just drop me an email.
I have had implemented such an extension, as Giles refer, in 2001 to Snort while doing my M.Sc. thesis. I have integrated p0f of Zalewski as a preprocessor plugin to Snort to "learn" protected hosts' operating systems. With the help of Max Vision, we have extended Snort signatures to include proper target O.S. information. We have had some success with the issue. Interested people can check my thesis (http://www.dayioglu.net/publications/thesis.pdf)or the paper about it (http://www.dayioglu.net/publications/iscis2001.pdf). I bet Roesch has been doing much more than this... :) with regards. -- Burak DAYIOGLU Consultant, Pro-G Information Security and Research Ltd. Phone: +90 312 2101494 Fax: +90 312 2101493 http://www.pro-g.com.tr ICQ UIN: 72276975 --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: IDS is dead, etc Burak DAYIOGLU (Aug 05)
- Re: IDS is dead, etc Martin Roesch (Aug 05)
- Re: IDS is dead, etc David W. Goodrum (Aug 05)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- Re: IDS is dead, etc Bennett Todd (Aug 06)
- Re: IDS is dead, etc maz (Aug 07)
- Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- <Possible follow-ups>
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
- RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
- Re: IDS is dead, etc Sebastian Schneider (Aug 07)
(Thread continues...)