Hosting Provided By

Re: Anomaly based network IDS

From: Brian Hernacki <bhern(at)meer.net>
Date: Thu Apr 03 2003 - 12:42:56 EST

>How does it determine what is suspicious?
The detection logic of the 'compliant but suspicious' subset of the protocol anomaly detection is generally built based on manual analysis.

There are several ways to determine cases which are compliant but still worth alerting on (even though you don't *know* it's a particular exploit). Sometimes we will examine a protocol for obvious points of attack. Other times we may examine a class of exploits or even applications and create logic to detect those types of attacks more generically. Often these 'gaps' are created by grey areas in protocol specifications or differences between specification and implementation.

ManHunt also applies similar logic in it's other detection mechanisms (e.g. traffic monitoring and anlysis).

--brian
brian_hernacki@symantec.com

ALERT: Exploiting Web Applications- A Step-by-Step Attack Analysis Learn why 70% of today's successful hacks involve Web Application attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter Manipulation.
http://www.spidynamics.com/mktg/webappsecurity71 Received on Thu Apr 3 12:53:37 2003

This message: [ Message body ]
Next message: Paul Schmehl: "RE: IDS interface setup"
Previous message: Miller, Joe: "RE: IDS interface setup"
In reply to Dale Gardner: "Re: Anomaly based network IDS"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:11 EDT