--- darkeyes <darkeyes263.NET> wrote:
> hi all:
> In my finish college project i will make a
> IDS based libpcap & libnids.But after these days , i
> found that the packet sniffers ids is like some
> AntiVirus software such as McAfee. We can only
> analyse the exploit on the specifically System to
> collect the rules.

Or in other words, how could you ever detect a new
exploit before the vendor releases a new "exploit
definition" and you install that definition? It's
true, with most IDSes, you're screwed. One approach
that I've used in writing filters for SHADOW is to
define my filters as something like

   tcp and not (
     <all acceptable traffic>
   )

Now, here's the big problem with my own suggestion:
That's good if you're just watching traffic patterns,
since the set of "acceptable" things is finite. But,
there's a limitless amount of acceptable content, so
for content filtering, I don't know how you could
improve on the signature-based model.

Just some thoughts,
Joe

=====
Joseph Carnahan
haq4jcyahoo.com
Home: (540) 361-4345
Work: (540) 653-5798
   or (703) 697-6318

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]