Sanjay Rawat wrote:
Hi Richard
I am agreed on the difficulty in defining an attack properly. in fact
recently i joined a company as a kind as intrusion analyst. Before that
i was in academic environment doing my PhD in IDS. what i observed is
that signatures are concentrating more on a particular exploit code
rather than the true exploit/vulnerability. i am specifically talking
about Snort signatures.
An interesting assertion. I tend to disagree. What is it that leads you
to believe that Snort rules focus on exploits instead of exploitable
conditions?
I feel that time has come when we should also
look at some AI/data mining/ machine learning techniques to get some
more insight into the attacks, as now we have high computing devices.
During my research, i experimented with many such techniques, but I dont
find the acceptability of such techniques in commercial products. I know
i may sound more theoretical to all experienced network/system
administrators, but i want to bring this issue into the focus. in this
way, we can, at least, discuss the feasibility of such techniques and
the problems associated with that.
Please feel free to implement and try this, I would love to see it.
There have been efforts in the past which attempt to do this such as
SPADE from Silicon Defense for Snort.
i am looking forward to have some response from all.
thanks
Sanjay
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
