Hi Frank:
the points which you raised are correct, but this is the underline
assumption that you have CLEAN attack-free data to train your anomaly IDS.
in the example, which you put, you need to ensure that your new host is not
compromised. Also, from time to time, you need to update the learning by
putting your IDS in learning/training mode. In fact, such things are main
barriers in deploying anomaly based IDS.
regards
Sanjay
uhm... then I would rather not use Stealthwatch. If a new host comes
online, I'd like to receive an alert on that. Also, letting the IDS
guess what is normal may be suboptimal. For instance, if a host is
hacked and starts an FTP server on a new IP address the hacker assigns
(new host), the IDS will watch the FTP traffic of the pubstro and then
consider it normal. Except that it isn't :)
So having an IDS accept a new host and consider it's traffic normal
without any sort of alerts of user intervention can hardly be considered
a "successful" IDS.
Regards,
Frank
--
Ciscogate: Shame on Cisco. Double-Shame on ISS.
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
