IDS mailing list archives
Re: question about anomalies detection
From: Omar Herrera <oherrera () prodigy net mx>
Date: Thu, 02 Sep 2004 15:22:17 -0500
Hi Nafis,
Hai everyone, sory if my question seems to be dummy question, but I need several thing to know about anomalies detection for my college assignment. Below are something to answer(if you don't mind) 1. To train the anomalies detection system, we must train the application with the normal profile. My question is how we get the normal profile, are they built by ourself or we try to get from our network dump data to be set as normal profile or we use the prebuild data on the net(like the data on the Lincoln Lab Data?)
Usually, you set up the tool to gather a sample of the traffic to create tables of normal traffic and adjust its thresholds. Of course, you should chose the best time to do this carefully: profiling the traffic during night, with no server activity, would result in a bunch of false positives when your servers start receiving traffic. This is how this works (in general terms); each product has particular capabilities and there are specifics for the fine-tuning of each product.
2. Is there any paper about SPADE(Snort Plugin), I've googling for sometimes but never found one.
http://www.silicondefense.com/, the website of the plugin, is unreachable (at least for me). You can still find a copy of the plugin in the latest snort distribution, inside the contrib directory. The README file in there has a very good description of the algorithms involved in SPADE. In essence, SPADE works only at the network level, meaning that it can only identify traffic to/from certain IP and ports but it cannot tell you if it is invalid from an application point of view (for example, it cannot analyze if the payload of an http packet violates some http protocol specification). It seems SPADE is no longer maintained (last update I know of is from 2000), but you might still find it useful. I don’t think anomaly detection systems are well suited for the perimeter with the Internet. Some will differ from this opinion based on capabilities of certain products and the environment, but generally speaking, if your traffic is diverse at the perimeter (almost any IP, and port from and to your network), you will either find that it spits a lot of false positives or that the profile is so relaxed that it doesn’t alert on anything and thus is of no use. In an internal network they might be more useful. For example, you could easily spot a worm trying to propagate through your network. Hope this helps, Omar Herrera -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- question about anomalies detection faisal99 (Sep 01)
- Re: question about anomalies detection Srinivasa Rao Addepalli (Sep 03)
- Re: question about anomalies detection Raj Malhotra (Sep 08)
- RE: question about anomalies detection Rob Shein (Sep 17)
- Re: question about anomalies detection Jose Maria Lopez (Sep 10)
- <Possible follow-ups>
- Re: question about anomalies detection Omar Herrera (Sep 03)
- Re: question about anomalies detection Christian Kreibich (Sep 07)