OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: IDS: RE: RE: Looking for info on writing custom signatures f or Cisco N etRa nger (IDS)
From: Dug Song (dugsongmonkey.org)
Date: Wed Sep 27 2000 - 09:59:34 CDT

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
On Wed, 27 Sep 2000, Martins, Fernando (Lisbon) wrote:

> what is your advice for a non-commercial tcp/ip traffic normalizer
> (NT/2000 or Linux)?

i only know of three.

Vern Paxson has been working on one for a while in conjunction with Bro,
though (to my knowledge) he hasn't released any code.

some good friends here at umich have built a scrubber on FreeBSD, which we
may end up porting to the OpenBSD bridge. they presented it last March at
IEEE Infocom, although no code is available yet:

        http://www.eecs.umich.edu/~rmalan/publications/mwjhInfocomm2000.ps.gz

but if you need to deploy something immediately, IP filter on the OpenBSD
bridge actually has a good bit of functionality, if configured correctly.
see Guido van Rooij's description of its design, presented at SANE 2000:

        http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz

-d. 

---
http://www.monkey.org/~dugsong/