IDS mailing list archives
Re: Views and Correlation in Intrusion Detection
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Thu, 19 Jun 2003 18:05:45 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Markle writes:
However, the greater question is how do you 1.) capture and 2.) disseminate the "sixth" packet from real traffic?
Differentiate. But yes; this is a nontrivial question, and one which you probably correctly place beyond the scope of this discussion. My point is that what constitutes innocuous is just as dependant on context as what constitutes suspicious. You observe that packets matching j. random scan signature aren't very interesting unless the target happens to be vulnerable to the thing being scanned for. Fair enough. My point is that a `clean' connection from given source suddenly becomes interesting if the same source has sent a bunch of traffic that just matched j. random signature. Something that looks uninteresting coming from a random point on the net is probably very interesting coming from someone who has been scanning you. Whether this correlation takes place via a visual grep done by an analyst or by a table join done by your NIDS backend is really a separate issue. It is the case that most contemporary NIDSes are pretty bad about doing this sort of thing---but more's the pity for the NIDS, not for the validity of the contention.
Finally, you referenced IDMEF in your [-] footnote that was a bit confusing. Please elaborate on your comment.
It wasn't really germane to the main point, which is why I put it in a footnote and labeled it as a random aside. Anyway, the IDMEF is ostensibly a general-purpose mechanism for exchanging data relating to intrusion detection systems. The situation I described is obviously a fairly straightforward one which is nevertheless needlessly difficult to describe in the IDMEF[0]. When I grumble about the IDMEF, I'm frequently asked to supply examples of weaknesses in it; it occurred to me when I was composing my message that what I was describing was one such example. - -spb - ----- 0 Owing to the structure of the model; namely, a result of the decision to rely on a context-free grammar adept at expressing relationships involving aggregation and inheritance. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE+8l2aG3kIaxeRZl8RAoe7AKCRlzkZl1M2B9Kz8wmee2irAufuvgCg2qlO 4LDIMRWU1pyuznkCAOcH1IQ= =CxcT -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Views and Correlation in Intrusion Detection Blake Matheny (Jun 17)
- RE: Views and Correlation in Intrusion Detection Jim Butterworth (Jun 17)
- Re: Views and Correlation in Intrusion Detection SecurIT Informatique Inc. (Jun 17)
- <Possible follow-ups>
- Re: Views and Correlation in Intrusion Detection DAVID MARKLE (Jun 17)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
- RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)