Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: need your help,thanks

from [Hayden Searle] Network Security [Permanent Link]
Subject: RE: need your help,thanks
Date: Mon, 30 Aug 2004 03:30:47 +1200 
My experience has been with the ISS products and this has a database
backend and can produce reports to help you find out what is 'normal'
for your environment, and it also correlates like attacks, and has the
ability to check the incoming attacks against known hosts (targets). If
the "Security Fusion" module is installed, it can tell you if the
targeted host is vulnerable to the attack.

False positives take a long time to tune out of your system, and you can
never fully get rid of them, as new signatures come out all the time.
IDS's while good to help with your perimeter security are a job in
themselves, if you want to ensure good effective network security
principles, and accuracy of the alerts.

Hayden Searle



-----Original Message-----
From: Charles Heselton [mailto:charles.heselton@gmail.com] 
Sent: Wednesday, 25 August 2004 2:42 p.m.
To: Lily
Cc: focus-ids@securityfocus.com
Subject: Re: need your help,thanks

On Sun, 22 Aug 2004 13:37:22 +0800, Lily <xiaoche111@hotmail.com> wrote:

hi,all
   I am a youngling in IDS.I read some papers in network this days and

the more I read the little I understand.Because there are so many
researching area in IDS and I dont know what I'll do.There are some
questions below:

Keep reading.  ;)


   1.If the false alarm rates have being resloved now?I think its a

essential premise of the area of "response mechanism of IDS" that I want
to research,do you think so?

False alarms depend upon the accuracy of your signatures, and the
peculiarity of your traffic.  If the traffic in your environment is
out of RFC standard, but is considered "normal" for your environment,
it could produce a lot of false positives, especially with an anomaly
based IDS.  I think that this is something that IDS will always have
to deal with.  You can never have *perfect* detection.


   2.Has someone firsthand used a data mining tool just like C5 to

reduce some data and make a conclusion about anomaly detection?Do you
think it is advisable?

   Could you please help me?Thank you in advance.



I haven't used C5, but my organization has attempted to use an Oracle
database for such a purpose.  There are products out there which are
supposed to do this sort of correlation for you.  I know of Symantec's
CyberWolf, and I've been told (:-?) that NetIQ does this sort of
thing, though I have yet to see it.  I'm sure there are others as
well.  Anyhow, the key to making a database type situation work is
being able to rule out possibly anomalous traffic based on historical
data.  Then feed this info back into the IDS.  I'm not familiar with
any IDS that has this capability (yet).



Regards

Lily



-- 
Charlie Heselton
Network Security Engineer
#####################################################################################
Important: This electronic message and attachments (if any) are confidential
and may be legally privileged. If you are not the intended recipient do not
copy, disclose or use the contents in any way. Please let us know by return
e-mail immediately and then destroy this message.
#####################################################################################
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: need your help,thanks, Charles Heselton
Next by Date:  Re: need your help,thanks, Jose Maria Lopez
Previous by Thread:  Re: need your help,thanks, Jose Maria Lopez
Next by Thread:  NIDS/NIPS implications on HSRP, Brian Blankenship
Indexes:  [Date] [Thread] [Top] [All Lists]