IDS mailing list archives
Re: FW: IDS Signature Confidence
From: Vipul Kumra <secureskillz () yahoo com>
Date: Tue, 21 Jun 2005 01:57:15 -0700 (PDT)
There can be different approaches to detect a DOS attack when using IDS. It depends upon what type of DOS attack you are trying to prevent e.g. a DOS attack can be accomplished by sending a large number of packets so as to overwhelm the system, thus causing it to stop servicing legitimate request. The other way could be to just sending a single packet that causes a buffer overflow in some application so that it hangs or terminates (which will again lead to a DOS situation). Now to tackle the second case where a single packet can do enough harm, we can write a signature to drop that packet by just looking at its contents. For detecting the first case there can be counter based signatures. The counter based category of IDS attacks are the ones that are detected if packets containing certain characteristics are seen repeatedly in the network. The attack is confirmed if n numbers of packets containing a specified characteristic are seen in the network within t time. The counter based attacks typically cause a denial of service to other genuine packets in the system, by flooding the resource that other genuine packets in the system are also attempting to use. For this reason, the counter based attacks are also called Denial of Service Attacks. Proper testing of the signature should be done to find out a near accurate false positive and false negative ratio. Vipul
-----Original Message----- From: Raffael Marty [mailto:raffy () raffy ch] Sent: Tuesday, June 21, 2005 4:30 AM To: focus-ids () lists securityfocus com Subject: IDS Signature Confidence I was thinking about this following problem: Assume you have an NIDS signature looking for DoS attacks. In most of the cases I don't trust the NIDS reporting on a DoS attack. A lot of the DoS sigs just look at some bytes on the wire and tell me that there is a DoS attack going on. However, I need some more evidence that my services are indeed not accessible anymore. Some signatures on the other hand are very specific and you can trust them with whatever they report. Now this brings me to my question: How do you guys decide how much confidence you put in a certain IDS signature? And I am not talking about prioritizing the event. I am talking about assigning a "success" or "possible success" to signatures. -raffy -- Raffael Marty, GCIA, CISSP raffael.marty () arcsight com Senior Security Engineer Content Team @ ArcSight Inc. 5 Results Way Cupertino, CA 95014 (408) 864-2662
--------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS Signature Confidence Raffael Marty (Jun 20)
- Re: IDS Signature Confidence David W. Goodrum (Jun 21)
- <Possible follow-ups>
- Re: FW: IDS Signature Confidence Vipul Kumra (Jun 21)
- Re: Re: FW: IDS Signature Confidence bbhikkaji (Jun 28)