Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 02 > 120070.html (Request Expert securityfocus.com Support)

Re: [ANN]: Firestorm 0.5.1 released

From: Gianni Tedesco <gianni(at)ecsc.co.uk>
Date: Wed Dec 04 2002 - 10:52:21 EST

On Wed, 2002-12-04 at 07:52, sam wrote:
> It seems a good tool to use. Is it another signature-based IDS, not anything
> like Flow-based IDS?

For now it is signature based (with some state, eg: ip-defragmentation and tcp state tracking) but I am actually aiming towards what I guess you mean by flow-based.

In the near future firestorm will support TCP stream reassembly, full application layer decode for selected protocols and also application layer state tracking.

For example, SMTP state tracking such that if an attacker connects to an SMTP server and sends "VRFY root\r\n", firestorm will only alert if the it was done in state (eg: after a successful "MAIL" command, and not as part of the body of a mail message).

Is this the kind of thing you mean by 'flow based'?

Personally I cant wait to implement this. I get a lot of false positives in POP3, where some POP3 commands are interpreted as viruses inside email, and also large HTTP POSTs where post data is interpreted although it were part of the request.

Do you need help?X

PS. I am also researching a few different methods for doing anomaly detection too, more on that when I get something implemented.

Thanks for the interest. 

-- 
// Gianni Tedesco (gianni at ecsc dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

Received on Wed Dec 4 19:24:44 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:04 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library