IDS mailing list archives
Re: anomaly IDS ideas ?
From: "Christian G. Charette" <ccharette () lastminute com>
Date: Fri, 03 Feb 2006 14:00:34 +0000
Check www.cfengine.org, it is not an IDS, but may bring to you some extra ideas, it's a massive configuration management tool, but it also have a great anomaly detection tool (at OS level off course), and there's also an anomaly detection project in an advanced state. Maybe you can grab some cool ideas from there. BTW, good luck with you project! Ch.- the_aok () yahoo com wrote:
hello, im a computer science student and i have to do my graduation project next semester, i want to do it on anomaly IDS's. i have searched the internet and found little on that subject,here are my ideas on how to implement a network anomaly IDS,please correct me where im wrong or if u have any other references or ideas i would be happy to hear from you: the IDS will have 2 stages;first it will study the network traffic and build some kind of a database that keeps what should be marked as 'safe' and after collecting enough information it should start running and issue alerts when anomalies happen(network data will be compared to the database built in the first stage),this is the data im going to collect: 1-information about each hostname,IP address,and MAC address.(i think this should stop ARP Poisoning attacks by comparing later traffic to the database of MAC addresses associated with IP addresses) 2-ports open on each host and ports that each host connects to.the IDS should issue an alert if the host opens a port which wasnt open before or tries to connect to a new port; with this i think that exploits that use bind or connectback shellcode should be stopped. 3-times each host uses the network and which usernames it uses to connect to network resources; this should enable the IDS to detect if someone else is using the computer or using a different username. this is it :) i know that this is not near enough and that is why im sending this email, for example if someone uses an upload/exec shellcode in an exploit i dont think that the IDS will detect it, or if a trojan connects to a common port(for example port 80) the IDS won't notice it. another thing i want is to minimize false positives,which is an important thing.the main aim of the IDS will be to stop 0day attacks from happening, so if anyone has any ideas or any references i would really appreciate it. thank you, ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- anomaly IDS ideas ? the_aok (Feb 02)
- Re: anomaly IDS ideas ? Simon Biles (Feb 06)
- Re: anomaly IDS ideas ? Christian G. Charette (Feb 07)
- Re: anomaly IDS ideas ? Stefano Zanero (Feb 07)