Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: anomaly IDS ideas ?

from [Simon Biles] Network Security [Permanent Link]
Subject: Re: anomaly IDS ideas ?
Date: Fri, 3 Feb 2006 09:34:27 +0000 
Have a look at the SPADE ( Statistical Packet Anomaly Detection Engine
) project for Snort.

http://www.computersecurityonline.com/spade/

:-)

Si

On 1 Feb 2006 19:41:16 -0000, the_aok@yahoo.com <the_aok@yahoo.com> wrote:

hello,
im a computer science student and i have to do my graduation project
next
semester, i want to do it on anomaly IDS's. i have searched the
internet and
found little on that subject,here are my ideas on how to implement a
network
anomaly IDS,please correct me where im wrong or if u have any other
references or ideas i would be happy to hear from you:
the IDS will have 2 stages;first it will study the network traffic and
build
some kind of a database that keeps what should be marked as 'safe' and
after
collecting enough information it should start running and issue alerts
when
anomalies happen(network data will be compared to the database built in
the
first stage),this is the data im going to collect:
1-information about each hostname,IP address,and MAC address.(i think
this
should stop ARP Poisoning attacks by comparing later traffic to the
database
of MAC addresses associated with IP addresses)
2-ports open on each host and ports that each host connects to.the IDS
should issue an alert if the host opens a port which wasnt open before
or
tries to connect to a new port; with this i think that exploits that
use
bind or connectback shellcode should be stopped.
3-times each host uses the network and which usernames it uses to
connect to
network resources; this should enable the IDS to detect if someone else
is
using the computer or using a different username.

this is it :) i know that this is not near enough and that is why im
sending
this email, for example if someone uses an upload/exec shellcode in an
exploit i dont think that the IDS will detect it, or if a trojan
connects to
a common port(for example port 80) the IDS won't notice it.
another thing i want is to minimize false positives,which is an
important
thing.the main aim of the IDS will be to stop 0day attacks from
happening,
so if anyone has any ideas or any references i would really appreciate
it.
thank you,


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------





--
Simon Biles
CISSP, OPSA, BS7799 Lead Auditor, MBCS

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Real world experience with HIDS, FinAckSyn
Next by Date:  Re: Real world experience with HIDS, Paul Schmehl
Previous by Thread:  anomaly IDS ideas ?, the_aok
Next by Thread:  Re: anomaly IDS ideas ?, Christian G. Charette
Indexes:  [Date] [Thread] [Top] [All Lists]