From: Frank Knobbe (frankknobbe.us)
Date: Sat Sep 03 2005 - 01:58:56 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2005-08-30 at 18:02 -0400, Adam Powers wrote:
> This is why most of today's *successful* anomaly detection technologies
> incorporate a learning or "behavioral" component that overcomes this kind of
> problem. Take StealthWatch for instance. When a new DNS server comes online,
> StealthWatch looks at the flows being generated by the server, figures out
> what the server is and how it's behaving, then applies the appropriate
> algorithms given the contextual awareness of the server's learned behaviors.
>
> In a nutshell:
>
> 1. New host detected.
> 2. Let's watch it for a bit and figure out what it's up to.
> 3. Now that we know what the machine is and does, apply the proper anomaly
> detection techniques to the traffic generated by the host.

uhm... then I would rather not use Stealthwatch. If a new host comes
online, I'd like to receive an alert on that. Also, letting the IDS
guess what is normal may be suboptimal. For instance, if a host is
hacked and starts an FTP server on a new IP address the hacker assigns
(new host), the IDS will watch the FTP traffic of the pubstro and then
consider it normal. Except that it isn't :)

So having an IDS accept a new host and consider it's traffic normal
without any sort of alerts of user intervention can hardly be considered
a "successful" IDS.

Regards,
Frank

--
Ciscogate: Shame on Cisco. Double-Shame on ISS.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQBDGUmwwBQKb2zelzoRAq2DAJ0V0ktDAiOPBVfn4qCuxC0d5JUyBgCeKVi0
QSUyrIFbTBGhQkg/QAfTuQo=
=LB1U
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]