IDS mailing list archives
RE: Anamoly based network IDS
From: "Graham, Robert (ISS Atlanta)" <rgraham () iss net>
Date: Fri, 28 Mar 2003 02:36:55 -0500
From: vishal p [mailto:vishalsec () yahoo com]
Symantec MAnhunt is the good example for that..
Manhunt is actually a poor example. Manhunt focuses on validating protocols: it watches network traffic to see if it conforms to the official protocol specifications. If it doesn't conform (i.e. is invalid), then it triggers an event. What vendors like Network ICE, NFR, SecureNet Pro, ISS etc. have traditionally called "protocol-anomaly detection" is a similar process of watching network traffic looking for things that conform to the official specification, but which appear to be abnormal. For example, consider the SNMP protocol decode I wrote in my product. It looks at the community string length field. It does two checks. One check is to see if the "length" claims to be longer than the packet -- which is invalid. Another check tests it against the threshold length of 256 characters -- which is valid, but unusual. Protocol-validation vs. valid-but-anomalous give very different results. They are as much different in output as traditional pattern-match is with either of them. A good example of an anomaly signature is the following: SQL_SSRP_StackBo is ( udp.dst == 1434 ssrp.type == 4 ssrp.name.length > ssrp.threshold) where ssrp.type is first-byte of packet where ssrp.name is nul-terminated string starting at second byte where ssrp.threshold defaults to 97 This signature was written for my IDS back in August of last year -- right after the vulnerability was announced. Unlike a pattern-match systems (like Dragon or Snort), I didn't have to wait for Slammer to appear in order to write detection for it. Unlike a protocol-validator like Manhunt, I tested things which were legal as far as the protocol was concerned, but which are strange/odd/weird/anomalous. Note that most of the signatures in RealSecure are written in the manner demonstrated by the signature above, though Symantec claims that RealSecure doesn't support protocol-anomaly detection. ----------------------------------------------------------- ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation. http://www.spidynamics.com/mktg/webappsecurity71
Current thread:
- Anamoly based network IDS vishal p (Mar 27)
- Re: Anamoly based network IDS Lance Spitzner (Mar 27)
- <Possible follow-ups>
- RE: Anamoly based network IDS Graham, Robert (ISS Atlanta) (Mar 28)
- Re: Anamoly based network IDS Brian Hernacki (Mar 28)