[Snort-devel] Defeating the anti-IDS tools...

Matt W. kmx at ...309...
Mon Apr 2 03:16:47 EDT 2001

It still shows up as a statistical anomaly.  Big shiny blips on the radar.  It
wouldn't overwhelm your reporting console because it would consolidate it down
into some characteristic it could group by.  Be it the signature, IP address,
time, etc.  The real problem here is how to react when your data mining system
returns output like this:

Valid Attack 1 - 100 attempts by <IP list>
Valid Attack 2 - 150 attempts by <IP list>
Non Valid Attacks 1 - 500 attempts by <IP list>
Non Valid Attacks 2 - 300 attempts by <IP list>

With a scoring system this could be even more granular and would float the MOST
Valid attacks / Most dangerous valid attacks to the top of the list.

All this would be contained within a time period of say 2 hours or something.
Now you need another piece to the data mining system that finds the valid source
addresses and allows you the admin to respond based on your company policies.


Todd Lewis wrote:

> On Sun, 1 Apr 2001, Matt W. wrote:
> > Data mining is the key to detecting these things easily, not preprocessors.
> I agree.  The fundamental fact is, if someone is trying to overwhelm
> you, then they can just throw legitimate attacks at you.  This is an
> area where SecureWorks' systems really help; maybe some day they will
> bother to explain them to the world.
> --
> Todd Lewis
> tlewis at ...255...
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

More information about the Snort-devel mailing list