I came to this conclusion 4 years ago (I was a director of security at a big
firm), what we need is to have both knowledge or signature base IDS and
system like SHADOW (behavioral base) working together then with "7 x 24 x
365 monitoring team" to watch the alerts from both type of IDSes and analyze
them. The answer seems to be an easy one, but to accomplish this is another
story.

Banyat Adipat

----- Original Message -----
From: "Joe Carnahan" <haq4jcYAHOO.COM>
To: <FOCUS-IDSSECURITYFOCUS.COM>
Sent: Wednesday, April 04, 2001 5:08 PM
Subject: Re: Can (packet sniffers)ids not like AntiVirus

> --- darkeyes <darkeyes263.NET> wrote:
> > hi all:
> > In my finish college project i will make a
> > IDS based libpcap & libnids.But after these days , i
> > found that the packet sniffers ids is like some
> > AntiVirus software such as McAfee. We can only
> > analyse the exploit on the specifically System to
> > collect the rules.
>
> Or in other words, how could you ever detect a new
> exploit before the vendor releases a new "exploit
> definition" and you install that definition? It's
> true, with most IDSes, you're screwed. One approach
> that I've used in writing filters for SHADOW is to
> define my filters as something like
>
> tcp and not (
> <all acceptable traffic>
> )
>
> Now, here's the big problem with my own suggestion:
> That's good if you're just watching traffic patterns,
> since the set of "acceptable" things is finite. But,
> there's a limitless amount of acceptable content, so
> for content filtering, I don't know how you could
> improve on the signature-based model.
>
> Just some thoughts,
> Joe
>
> =====
> Joseph Carnahan
> haq4jcyahoo.com
> Home: (540) 361-4345
> Work: (540) 653-5798
> or (703) 697-6318
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]