'Re: new on IDSs (Context-awareness in IDSes)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: new on IDSs (Context-awareness in IDSes)
From:       Umesh Shankar <ushankar () cs ! berkeley ! edu>
Date:       2003-01-28 0:00:26
[Download RAW message or body]

Hello all,

I'm at student at UC Berkeley (my advisor is David Wagner). Vern Paxson
and I have done work on gathering and using network- and host-specific
information to disambiguate traffic, which we call "Active Mapping".
This lets us perform a more precise analysis. We have a paper coming up
at the IEEE Security (Oakland) conference. A not-quite-final version of
it is available at

http://www.cs.berkeley.edu/%7Eushankar/research/active/activemap.pdf

Feel free to contact if you have any questions or would like to try it
out.

Umesh

> Date:  Mon, 27 Jan 2003 13:33:42 -0500
> From:  "David W. Goodrum" <dgoodrum@nfr.com>
> Subject:  Re: new on IDSs
> To:  Omar Herrera <oherrera@prodigy.net.mx>
> Cc:  focus-ids@securityfocus.com
> 
> Actually Omar, NFR's NID engine performs passive OS fingerprinting.  So, 
> we re-assemble fragments the same way as the destination OS, thus 
> avoiding that common problem among most other NIDS technologies.
> 
> Omar Herrera wrote:
> > Dear Vladimir,
> > 
> > I believe that one of the biggest limitations of NIDS the need for
> > response emulation capabilities. NIDS have to know how a particular O.S.
> > responds to certain packets in order to act accordingly and avoid
> > evasion and injection techniques; actually this need is not a limitation
> > by itself but this capability is difficult to implement.
> > 
> > Not only should they consider O.S. responses, in many cases they should
> > also consider specific application responses (web servers for example).
> > So, in a big company with a huge diversity of applications and
> > configurations life won't be easy for a NIDS.
> > 
> > I'm not sure of what investigation is taking place to reduce this other
> > than adding a bunch of behavior signatures but I believe that for
> > certain configurations things would be easier for a NIDS.
> > 
> > For example, if the NIDS is in front of a firewall implementing
> > application gateway and circuit gateway technologies, in theory, it
> > would suffice to the NIDS to know exactly how this device handles
> > traffic at different levels. I'm not aware of a product claiming to do
> > this interaction with firewalls though (and you just can't have this
> > configuration everywhere).
> > 
> > Just some thoughts,
> > 
> > Omar Herrera
> > 
> > 
> >>hi all,
> >>
> >>I'm interested in NIDS and i was wondering if somebody could, please,
> >>answer
> >>these questions or give me some information (links, etc):
> >>
> >>1.- Which are NIDS limitations, in addition of pattern-matching
> > 
> > inherent
> > 
> >>limitations?
> >>
> >>2.- Wich technologies or investigation lines are trying to minimize or
> >>even
> >>correct this limitations?
> >>
> >>3.- What about distributed NIDS?
> >>
> > 
> >  
> > 
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.443 / Virus Database: 248 - Release Date: 10/01/2003
> >  
> > 
> 
> 
> - -- 
> David W. Goodrum
> Senior Systems Engineer
> NFR Security
> Mobile: 703.731.3765
> Office: 240.747.3425
> 
> 
> ------- End of Forwarded Message
> 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic