thomas48 | 1 Jun 06:10 2006

SyScan'06 - The Hackers' Conference in Asia

Dear all

SyScan'06 - The Hackers' Conference, will be held in Singapore from 20th 
to 21st July 2006. This is the third year running for SyScan.

SyScan’06 Day 1 – 20th July 2006

8:00 a.m. Registration
8:40 a.m. Welcome Speech - Thomas Lim
8:45 am Marc Maiffret – Chief Hacking Officer, eEye - Keynote Speech
9:30 a.m. Paul Craig - Unpacking Malware, Trojans and Worms
10:30 a.m. Coffee and Beer Break
11:00 a.m. Thorsten Holz - Towards Automated Botnet Detection and Mitigation
12:30 a.m. Lunch
1:30 a.m. Enrique Sanchez - I-worm.Fuzzer: A New Propagation Type of Virus
2:30 p.m. Andrew Griffth - Securing Unix/Linux Systems
3:30 p.m. Hendrik Scholz - VoIP Security Issues: Problems on the users’ 
side and what are the providers doing wrong?
4:30 p.m. Coffee and Beer Break
5:00 p.m. Barnaby Jack - Exploiting Embedded System
6:00 p.m. Alexander Sotirov - Reverse Engineering Microsoft Binaries
7:00 p.m. End of Day 1

SyScan’06 Day 2 – 21st 2006
9:00 a.m. Joachim De Zutter - Feedback Fuzzing
10:00 a.m. Coffee and Beer Break
10:15 a.m. Angelo Rosiello - Writing behind a buffer
11:15 a.m. Andre Protas - Skeleton in Microsoft closet
12:15 p.m. Lunch
1:00 p.m. Nish Bhalla - Binary Analysis, Finding Secret in ISAPIs
(Continue reading)

nksdata | 2 Jun 12:07 2006

Auditing RealSecure IDS Policy

Hi All,

I want to audit existing realsecure IDS policy. Is there any tool for doing the same?

Please suggest.

Best Wishes.

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
to learn more.

Ali-Reza Anghaie | 3 Jun 01:26 2006

RE: Latest published papers on IPS brands evaluation and comparison

Also consider reading ...

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
to learn more.

Kevin Johnson | 4 Jun 20:39 2006

BASE 1.2.5 (sarah) released

The BASE project team is proud to announce that we have released  
1.2.5 (sarah).   It has been almost three months
since the last release and in that time the project team has grown.   
We welcome Jon Hart to the team and he has
already shown what a great contributer he can be.  One difference  
with this release is that Kevin's daughter (sarah) is due
to be born tomorrow so if you need support please contact the  
developers list or post a report on the page.
Kevin will be checking email but it will be sporadic for a week or so.

Now on to the changes.  One of the main things in this release is a  
security fix that was announced by Milw0rm.
This release solves the problem they found.  Two things that the  
development team would like to point out.  First,
we would appreciate it if people at least tried to contact us before  
announcing these things.  We do respond and
try to fix things as soon as we can.  Second, this security hole only  
affects you if you are running with globals
registered.  If you are doing that then you have a ton of other  
problems and we recommend that you turn it off

We have also updated and improved our support for the FLoP system.  A  
lot of fixes went into the setup system
and we did a ton of changes to prevent further XSS and SQL injection  
attacks.  The Chinese language file was
updated.  We also fixed a number of bugs and some of the issues with  
searching.  We also improved our
handling of ICMP messages.  For full details of all of the changes,  
please read the CHANGELOG.
(Continue reading)

Rong-Tai Liu | 5 Jun 09:08 2006

RE: Skype & IPS vendor claims

BroadWeb's IPS is able to block Skype entirely and control its service
(voice, video, file transfer, chat) seperately in the same time. 

Our customers tend to use our IPS to block the "file transfer" function of
skype, and still allow the voice communication. They don't want virus/worms
get into the internal netwokrs through the "file transfer" path of IM
applications and Skype, but they also like their employee to use the VoIP
function to cut the cost.

BroadWeb uses mainly behavior analysis and few signatures to identify Skype
and its features. Currently we support up to Skype version (seems
to be the latest one).

Best Regards,

Terence R.T. Liu, Ph.D.
R&D Division
BroadWeb Corporation
E-mail: tie <at>
Web Site:

-----Original Message-----
From: Basgen, Brian [mailto:bbasgen <at>]
Sent: Thursday, May 25, 2006 6:03 AM
To: focus-ids <at>
Subject: RE: Skype & IPS vendor claims


(Continue reading)

Jean-Philippe Luiggi | 5 Jun 15:30 2006

Re: fusion of results from heterogeneous sensors


Considering the "anomaly based" IDS, i'm not sure a tool likes this exists 
in open source.

Another tool you may check beside of "snort" is "bro" (
Using the bro's language you can script your own policies and then
with some tweaks,  do and/or check what you want.

Best regards.

On Sat, May 20, 2006 at 09:37:54AM +0530, Raj Malhotra wrote:
> Hi All
> I am trying to set up a test network comprising of heterogeneous
> intrusion detectors. The idea is to use the diverse capabilities of
> these detectors to arrive at a decision as to whether an intrusion
> took place or not.  I intend to use a signature based ids (snort in
> this case), an anomaly based network ids ( i don't know what to use
> here), something which is very efficient in detecting scans (port
> scans, OS fingerprint attempts) etc.
> I would be thankful if folks can suggest freeware which can be used
> for the above mentioned purpose
> thanks in advance
> ral

(Continue reading)

Becca Kastl | 6 Jun 01:20 2006

Tipping Point question

I'm looking for some information and hopefully documentation regarding 
Tipping Point devices (400 series) and 802.1q.

I currently have a Tipping Point 400 device tapped to an 802.1q trunk 
from a Cisco 3750 switch with multiple DMZ/VLANs. The configuration is 
supposed to have been validated as legit, but the older documentation 
did not identify the link type from the Cisco switch. But we still can't 
validate that the TP device is seeing the actual IP traffic and not the 
" 802.1q gobbledeygook."

I have tried to contact Tippint Point, but without support contract 
information I haven't been able to get much. I've searched Tipping 
Point's site and the only information I can find regarding 802.1q (or 
"trunking" or "LACP") is in regards to the X505--nothing on the 400. 
Likewise, googling doesn't turn up much and none of my primary contacts 
have been able to definitively respond to the question. At the moment, 
I'm operating off the default assumption that if it isn't explicitly 
stated, then it isn't supported.

Thanks in advance for any information that anyone can provide.

Becca Kastl

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
(Continue reading)

Andrew Plato | 6 Jun 02:27 2006

IPS Market Share

Somebody asked a while back about market share and IPSs on this list. I
just got a copy of a report from Infonetics Research. In short here is
how the top IPSs stack up in market share: 


TippingPoint (3Com) comes out on top; they have an incredibly high
percentage of customers running their products not only in line, but
running their default recommended settings of over 800 filters (with
minor tweaks); they have a 33% share in 2005, nearly double that of
their next closest competitor

Cisco comes in 2nd overall in 2005 (just barely) with 17% share; we
estimate that just over 50% (though rising quickly) of their customers
use their products in line with a significant number of filters; Cisco's
real strength overall though is in their ability to push IPS technology
through a wide variety of devices beside their dedicated IPS products,
including integrated security appliances, routers, and switches. 

Juniper comes in 3rd overall with a 16% share of revenue, but they have
a very high percentage of customers actually using their products
in-line (second only to TippingPoint)

McAfee and ISS round out the 4th and 5th spots with similar numbers; ISS
has a strong IDS legacy, and though they've been successful selling IPS,
their installed base of happy IDS customers, and their reputation as an
IDS supplier hurts them in this study, and McAfee has established
themselves as a very strong player for high-performance IDS, but hasn't
been as successful moving their customers in line as other vendors in
this space. 
(Continue reading)

Jason Muskat | 4 Jun 19:08 2006

Re: Auditing RealSecure IDS Policy


One can export a given policy (it's just a text file), then read it as is,
or create a simple parser to reformat the text to your liking.


Jason Muskat  | GCUX - de VE3TSJ
e. Jason <at> TechDude.Ca
m. 416 .414 .9934


> From: <nksdata <at>>
> Date: 2 Jun 2006 10:07:54 -0000
> To: <focus-ids <at>>
> Subject: Auditing RealSecure IDS Policy
> Hi All,
> I want to audit existing realsecure IDS policy. Is there any tool for doing
> the same?
> Please suggest.
> Best Wishes.
(Continue reading)

trantichphuoc | 6 Jun 15:56 2006

Machine Learning for IDS: which dataset?

Hi there,
I am interested in applying machine learning algorithms in detecting network intrusions. I read many
papers and realized that the KDD-99 is the most well-known dataset used in the field. However, this
dataset is provided by MIT in 1999, and obviously, its pretty old. As we all know, the defensive
technologies are fast, and also the hacking techniques. Clearly, the KDD-99 dataset would not provide
the true representation of a network at the current time. So, could anyone plz tell me which dataset is more
updated, specialized for machine learning research in IDS?

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
to learn more.