IDS mailing list archives
Re: new on IDSs (Context-awareness in IDSes)
From: Umesh Shankar <ushankar () cs berkeley edu>
Date: 27 Jan 2003 16:00:26 -0800
Hello all, I'm at student at UC Berkeley (my advisor is David Wagner). Vern Paxson and I have done work on gathering and using network- and host-specific information to disambiguate traffic, which we call "Active Mapping". This lets us perform a more precise analysis. We have a paper coming up at the IEEE Security (Oakland) conference. A not-quite-final version of it is available at http://www.cs.berkeley.edu/%7Eushankar/research/active/activemap.pdf Feel free to contact if you have any questions or would like to try it out. Umesh
Date: Mon, 27 Jan 2003 13:33:42 -0500 From: "David W. Goodrum" <dgoodrum () nfr com> Subject: Re: new on IDSs To: Omar Herrera <oherrera () prodigy net mx> Cc: focus-ids () securityfocus com Actually Omar, NFR's NID engine performs passive OS fingerprinting. So, we re-assemble fragments the same way as the destination OS, thus avoiding that common problem among most other NIDS technologies. Omar Herrera wrote:Dear Vladimir, I believe that one of the biggest limitations of NIDS the need for response emulation capabilities. NIDS have to know how a particular O.S. responds to certain packets in order to act accordingly and avoid evasion and injection techniques; actually this need is not a limitation by itself but this capability is difficult to implement. Not only should they consider O.S. responses, in many cases they should also consider specific application responses (web servers for example). So, in a big company with a huge diversity of applications and configurations life won't be easy for a NIDS. I'm not sure of what investigation is taking place to reduce this other than adding a bunch of behavior signatures but I believe that for certain configurations things would be easier for a NIDS. For example, if the NIDS is in front of a firewall implementing application gateway and circuit gateway technologies, in theory, it would suffice to the NIDS to know exactly how this device handles traffic at different levels. I'm not aware of a product claiming to do this interaction with firewalls though (and you just can't have this configuration everywhere). Just some thoughts, Omar Herrerahi all, I'm interested in NIDS and i was wondering if somebody could, please, answer these questions or give me some information (links, etc): 1.- Which are NIDS limitations, in addition of pattern-matchinginherentlimitations? 2.- Wich technologies or investigation lines are trying to minimize or even correct this limitations? 3.- What about distributed NIDS?--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003- -- David W. Goodrum Senior Systems Engineer NFR Security Mobile: 703.731.3765 Office: 240.747.3425 ------- End of Forwarded Message
Current thread:
- Re: new on IDSs (Context-awareness in IDSes) Umesh Shankar (Jan 27)