To help out on this matter I will expand on Yune Sung statement. I hope
this is not taken as a advertising ploy, but Axent's NetProwler was
mentioned.

SO...

NetProwler's has an advanced method of detection called Stateful Dynamic
Signature Inspection (SDSI) to detect network-based attacks.

(Stateful) NetProwler can remember the contents of the active sessions that
it monitors on the network. Therefore, rather than simply comparing an
attack signature with a single packet, NetProwler builds a context around a
network session. This allows NetProwler to monitor and prevent much more
sophisticated attacks than the simple exploits that a single packet of data
may contain. For example, NetProwler can detect attacks that occur in
separate actions or steps.

(Dynamic) You can also create new attack signatures and have them activated
in real time without having to take the system offline. In addition, this
technology allows you to customize NetProwler to your organization's needs
and respond to the threats that your organization faces.

(Signature Inspection) This is the method of detection that NetProwler
uses. Signature Inspection works by comparing an attack signature (a set of
rules that describe an attack) to a communication packet.

Hope this helps

Chad R. Skipper
Software Engineer
Symantec Corporation

cskippersymantec.com
www.symantec.com

                    Yune Sung
                    <yuneNETIAN.COM> To: FOCUS-IDSSECURITYFOCUS.COM
                    Sent by: Focus on cc:
                    Intrusion Detection Subject: Re: Stateful inspection on IDS
                    Systems
                    <FOCUS-IDSSECURITY
                    FOCUS.COM>

                    04/04/2001 02:11 AM
                    Please respond to
                    yune

I guess Axent's NetPowler has a kind of Stateful
Inspection Engine, called Stateful Dynamic
SignatureInspection(SDSI). I think It has each
application state information, and detects costomized
attack signature.
Pls, check it out....

Yune Sung

KISA, Seoul Korea
Email: yunenetian.com
> To All,
>
>
> It is my understanding that no current IDS
(including ISS's RealSecure) does
> stateful inspection of the connections on the
network segment being
> monitored. Therefore, it is not necessary to
establish a legitimate TCP
> connection in order for the IDS to register an
attempted attack. Since no
> TCP connection is necessary, could someone with
malicious intent spoof their
> source IP address to be any address on the
Internet, presuming that the site
> that they are launching from has not implemented
egress filtering as
> described in RFC 2267. The target of the attack (or
perhaps an intervening
> firewall or packet filter) will disregard these fake
attack packets because
> they are not part of a legitimate, established TCP
connection. With that
> said the IDS will Log all the Fake Attack
> The IDS will continue to run as normal, registering
a large number of
> attacks. If the attacker simultaneously runs a real
attack during this
> time, it will be difficult to tell from the IDS system
alone which attack is
> real and therefore where the real attack originated.
>
> Solution?
> Could you put firewall in front of the IDS that only
configured for Stateful
> Inspection (a simple LINUX box firewall)? (will this
cause the IDS to miss
> other attempted attacks as well).
>
>
>
>
> Vern Waltman
> JTF-CND Sr. Technical Analysts
> Litton TASC
> E-mail: waltmanvjtfcnd.ia.mil
> (703) 607-4050 ext. 4481
> FAX: (703) 607- 4009
>
>
> [ attachment: <A CLASS=slink
HREF="/templates/archive.pike?
part=.1&list=96&mid=166975&"> (text/html)</A> ]
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]