headers
Ian P. Christian | 1 Jun 2002 11:14
Picon
Favicon

RE: Normalizers, OpenBSD, etc.

> If someone wanted to begin the process of implementing traffic 
> normalization ("norm" or something else) today, where would he/she go?

I might be misunderstanding what traffic normalization is, but take a
look at hogwash. Based on snort can be used to remove network nastiness
on layer 2.

HTH,

--

-----------------------------------------------------------------
Ian Christian              E-Mail: pookey at pookey dot co dot uk
President and Tech Officer for Termisoc    PGP Key ID: 0xD09C10ED
-----------------------------------------------------------------
GCC d s: a-- C+++ UL++ P+ !E W++ N+ w M-- PS PGP+ t+ e>++ h+ z**
Permalink | Reply | 1 comment |
headers
Drew | 3 Jun 2002 18:05

Re: Session Vs Packet Switching

"Gustavo Ossandon S." wrote:

 > This is an open question
 >
 > New technologies are implementing session switching over the old
Packet
 > switching algorithms
 >
 > This means just the first packet of a session gonna be 
 > inspected and all the
 > rest of the session will be granted pass .....
 >

You speak of multi-layer switching (MLS).  Not strictly "new", and not
really related to IDS.  Keep in mind that there are several types 
of flow masks associated with MLS, and they do support the addition
of security, in the form of standard and extended ACLs on the MSL-RP
(Cisco as a reference point here).  

 > What security implications this would carry ???
 >
 > What possibility exist, that some hacker could penetrate under a
session
 > already stablished  ???
 >

	(...)

Basically, this is a performance solution, not a security solution.  
Can you spoof a packet that would be part of an MLS flow?  I dunno.
(Continue reading)

Permalink | Reply | 0 comments |
headers
L0rd DarkF0rce | 4 Jun 2002 18:50
Picon
Favicon

IDS on a Token Ring world

Does anyone has any pointer on how to implement NIDS on a Token Ring 
Network?

TIA!

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
Permalink | Reply | 2 comments |
headers
abriney | 4 Jun 2002 17:00

Looking for IDS Roundtable Panelists


In this month's issue of Information Security, we run a roundtable on
the future direction of IDSes featuring prominent vendor
representatives, including Chris Klaus (ISS), Marcus Ranum (formerly
NFR) and Martin Roesch (Snort/Sourcefire). 

http://www.infosecuritymag.com/2002/jun/cover.shtml

As a follow-up to this roundtable, we plan on running a roundtable of
IDS users/customers in an upcoming issue. If you'd like to
participate in this roundtable, please e-mail me. We want to turn the
tables on the vendors and hear from the organizations using their
products!

Thanks, Andy
__________________________________
Andy Briney, Editor-in-Chief
Information Security Magazine
85 Astor Ave., Ste. 2
Norwood, MA  02062
781-255-0200 x13; FAX 781-255-0215
http://www.infosecuritymag.com
Permalink | Reply | 0 comments |
headers
Drew | 4 Jun 2002 19:14

Re: IDS on a Token Ring world

L0rd DarkF0rce wrote:
> 
> Does anyone has any pointer on how to implement NIDS on a Token Ring
> Network?
> 

What is the issue you are thinking you have?  Remember, the IDS
will be looking at layer three traffic, and that traffic is the 
same regardless of the lower layer stuff.  I used to work on a 
TR network, and we had Cisco Netrangers with token ring 
interfaces, right from the factory.
Permalink | Reply | 0 comments |
headers
Kim E Pihl | 5 Jun 2002 16:28
Picon
Picon

Re: IDS on a Token Ring world

Well one important difference!!
Not all NICs can be set into promiscious mode so be careful.
I havent had any trouble beside choosing the right card.

Kim Pihl

At 13:14 2002-06-04 -0400, Drew wrote:
>L0rd DarkF0rce wrote:
> >
> > Does anyone has any pointer on how to implement NIDS on a Token Ring
> > Network?
> >
>
>
>What is the issue you are thinking you have?  Remember, the IDS
>will be looking at layer three traffic, and that traffic is the
>same regardless of the lower layer stuff.  I used to work on a
>TR network, and we had Cisco Netrangers with token ring
>interfaces, right from the factory.
Permalink | Reply | 0 comments |
headers
Andy Talisker | 2 Jun 2002 15:55
Picon

Return To UK & RealSecure Training

Hi all
I bet you thought it had been quiet!  After 4 months in the antarctic I'm
back, I will be updating the website over the next few weeks and as always
my first priority will be IDS.

In the meantime I'm looking for companies other than ISS that provide
RealSecure Network Sensor  training.  Ideally these would be UK based but
would do some cost analysis on going anywhere.  It's more about quality of
training than cost, I can't say more than that but will let you form your
own conclusions about my problem.

Have a good one
-andy (talisker)
http://www.networkintrusion.co.uk
Talisker's Network Security Tools
Permalink | Reply | 0 comments |
headers
Andrew Hintz (Drew | 9 Jun 2002 18:16

Traffic Normalization (defrag) of IDSs


Does anyone know of a site/documentation/personal knowledge that
details how specific IDSs perform TCP/IP traffic normalization?  For
example, I know that most IDSs perform some defragmentation, and
that snort now handles all the released fragroute scripts.

TIA,
--
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--
Permalink | Reply | 1 comment |
headers
counter.spy | 10 Jun 2002 19:53
Picon
Picon

Re: Traffic Normalization (defrag) of IDSs

Well, if you really want to know details, why not start digging into the
original sourcecode of snort? ;-)

Okay, maybe this is not exactly the kind of reply you have expected
but it's the standard reply to such questions.
Most vendors will not give away such details freely (at least none that 
I knew) so the only source of information probably is opensource tools 
like snort.

I know that reading sourcecode is not everybody's favourate way
of learning such details because it takes some programming skills
to understand the code (I am no programmer either).
But if you don't want to wait until some geek gets the time to explain
it in a technical paper, it's all down to you ;-)

Sorry if this isn't very helpful.
Regards,
Detmar

---------------------original message-----------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Does anyone know of a site/documentation/personal knowledge that
details how specific IDSs perform TCP/IP traffic normalization?  For
example, I know that most IDSs perform some defragmentation, and
that snort now handles all the released fragroute scripts.

TIA,
- --
(Continue reading)

Permalink | Reply | 1 comment |
headers
Andrew Hintz (Drew | 10 Jun 2002 20:23

Re: Traffic Normalization (defrag) of IDSs

On Mon, Jun 10, 2002 at 07:53:11PM +0200, counter.spy <at> gmx.de wrote:
> Well, if you really want to know details, why not start digging into the
> original sourcecode of snort? ;-)

Of course I can just look at the code, but I don't have the source
for most IDSs out there in the market.  However if you're willing to
send me the source for some commercial IDSs out there, I'd be more
than happy to take a look. ;)

I'm interested not in the processes various IDSs use for traffic
normalization, but in how they interpret ambiguous traffic.  For
example, if they perform IP defrag and there are overlapping frags,
do they use the first frag, the last frag, etc... as the correct
value?

I know that snort's frag2 preproc will do basically whatever you
tell it to and can make sense of traffic passed through the
anti-snort attack scripts included with fragroute.

Thanks,
--

-- 
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518  5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--
(Continue reading)

Permalink | Reply | 0 comments |

Gmane