IDS mailing list archives
Re: Views and Correlation in Intrusion Detection
From: Blake Matheny <bmatheny () mkfifo net>
Date: Fri, 20 Jun 2003 12:47:29 -0400
snip...
context as what constitutes suspicious. You observe that packets matching j. random scan signature aren't very interesting unless the target happens to be vulnerable to the thing being scanned for. Fair enough.
snip...
Ahhh, now we're getting to the heart of the matter! What constitutes
'interesting traffic', but more so, do {H,N}IDS give you enough information to
make that decision? I would say no, but I would also say, that this isn't the
job of your {H,N}IDS. I personally take the Unix approach to intrusion
detection. Have small components that do individual tasks well, they can be
combined to do something more powerful. If your NIDS can collect data and get
it to you, excellent. If you can also capture your syslog, excellent. And so
on. The problem with this data generation ends up being, that you now have a
bunch of _data_, you want _information_. How do you gain information?
Unfortunately, IDMEF is not the answer. While I agree that an intermediary
(common) representation is a key component, IDMEF is specific to intrusion
detection. If IDS provided all the information we needed, that would be fine.
However, as I said before, we live in a heterogenous world, and the
information we need is stored in a variety of contexts and formats. Don't think
just IDS, think configuration files, think ID data, think syslog data, think
network configurations, etc. The question is, how do we get information out of
all of our data? Food for thought.
Cheers,
-Blake
--
Blake Matheny "... one of the main causes of the fall of the
bmatheny () mkfifo net Roman Empire was that, lacking zero, they had
http://www.mkfifo.net no way to indicate successful termination of
http://ovmj.org/GNUnet/ their C programs." --Robert Firth
-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Current thread:
- Views and Correlation in Intrusion Detection Blake Matheny (Jun 17)
- RE: Views and Correlation in Intrusion Detection Jim Butterworth (Jun 17)
- Re: Views and Correlation in Intrusion Detection SecurIT Informatique Inc. (Jun 17)
- <Possible follow-ups>
- Re: Views and Correlation in Intrusion Detection DAVID MARKLE (Jun 17)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
- RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)