Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 060829.html (Request Expert securityfocus.com Support)

Re: Views and Correlation in Intrusion Detection

From: Blake Matheny <bmatheny(at)mkfifo.net>
Date: Fri Jun 20 2003 - 12:47:29 EDT

snip...
> context as what constitutes suspicious. You observe that packets
snip...

Ahhh, now we're getting to the heart of the matter! What constitutes 'interesting traffic', but more so, do {H,N}IDS give you enough information to make that decision? I would say no, but I would also say, that this isn't the job of your {H,N}IDS. I personally take the Unix approach to intrusion detection. Have small components that do individual tasks well, they can be combined to do something more powerful. If your NIDS can collect data and get it to you, excellent. If you can also capture your syslog, excellent. And so on. The problem with this data generation ends up being, that you now have a bunch of _data_, you want _information_. How do you gain information? Unfortunately, IDMEF is not the answer. While I agree that an intermediary (common) representation is a key component, IDMEF is specific to intrusion detection. If IDS provided all the information we needed, that would be fine. However, as I said before, we live in a heterogenous world, and the information we need is stored in a variety of contexts and formats. Don't think just IDS, think configuration files, think ID data, think syslog data, think network configurations, etc. The question is, how do we get information out of all of our data? Food for thought.

Cheers,
-Blake 

-- 
Blake Matheny           "... one of the main causes of the fall of the
bmatheny@mkfifo.net      Roman Empire was that, lacking zero, they had
http://www.mkfifo.net    no way to indicate successful termination of
http://ovmj.org/GNUnet/  their C programs." --Robert Firth

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Received on Sun Jun 22 23:42:12 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:15 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library