Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Jerry Shenk (jasDECNS.COM)
Date: Thu Apr 26 2001 - 21:19:54 CDT
That's what tripwire does...if a file gets modified or a directory gets
created, I want to know NOW!!!....and probably shut things down.
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Mark Crosbie
Sent: Thursday, April 26, 2001 4:47 PM
Subject: Re: New method
In message <1522.214.171.124.159.988290963.squirrelwww.loria.fr>, Matthieu
>Your adventure just shows the limitations of signature based detection,
>like ADmutate and articles such as "50 ways to bypass IDS" did before :
>this method implies a sufficient knowledge of the mechanics of an attack in
>order to design a signature . This also means you have to see an attack
>first ( or foresee it, this would be better ! ), then react . And what
>about slight "mutations" of attacks ? Will your signature still match it ?
Therein lies the problem with any method that focuses on what an
attack *is* rather than what an attack *does*.
There is a subtle semantic difference here: two attacks may look
completely different, but they both may succeed in causing nfsd to
coredump on a signal exit. The best way to detect such an attack is
detect nfsd (or any network daemon) exiting unexpectedly with a core,
not the sequence of odd-ball packets that causes the exit.
Now some may argue "but I want to know any time anyone even tries that
sequence of odd-ball packets". Those people have not had to deal with
filtering alerts from an IDS console that lights up like a Christmas
tree every time a script-kiddie runs a probde. So I feel that losing
alerts which say "someone may have tried the foobar attack" and
gaining alerts which say "your NFS server exited unexpectedly with a
coredump" is a fair tradeoff. Thoughts anyone?
I wonder has anyone seen any products/research that focus on what the
various attacks do (i.e. the ultimate goal of the attack), rather than
how they do it (i.e. how they craft packets)?
-- Mark Crosbie http://www.hp.com/security/products/ids HP Praesidium IDS/9000 Product Architect Hewlett-Packard MS 47 LA 19447 Pruneridge Avenue mcrosbiecup.hp.com Cupertino, CA 95014 (408) 447-2308
>Matthieu Huin >Student-Engineer at the Ecole Nationale Supérieure des Mines de Nancy >http://eleves.mines.u-nancy.fr/~huin/fake/filtres.html >