headers
Nelson Brito | 2 Oct 2008 23:53

Re: "Exploit creation - The random approach" or "Playing with random to build exploits"

I am glad you have enjoyed, but I do not with some of your statements.
Actualy, I do not agree with almost all. 8-D

On Fri, Sep 26, 2008 at 7:02 PM, Stefano Zanero <zanero <at> elet.polimi.it> wrote:
> Well, no, actually, Slammer was not a flash worm. A flash worm is a worm
> which follows a precomputed spreading path, by using prior knowledge of
> all the systems that are vulnerable to the particular exploit in use.
And Slammer didn't.
> It is actually akin to a Warhol worm.

Hhmmm...  Let's check the description for Flash Worm:
"We further observe that there is a variant of the hit-list strategy
that could plausibly result in most of the vulnerable servers on the
Internet being infected in tens of seconds. We term this a flash worm.
The nub of our observation is that an attacker could plausibly obtain
a hit-list of most servers with the relevant
service open to the Internet in advance of the release of the worm."
("How to 0wn the Internet in Your Spare Time")

It looks like a Flash Worm for me, but, well, let's get another
information from CAIDA analysis ofr Slammer
(http://www.caida.org/publications/papers/2003/sapphire/sapphire.html).

It still looks like a Flash Worm for me, and, AFAIR, there was a huge
UDP/1434 probe (SANS Internet Storm Center) before Slammer got the
Internet. Am I wrong? Does not mean the Worm creator used a
"hit-list"?

Well, let's forget this, it is just a matter of different points of
view, anyway. And, AFAIR, the same conflict happened during naming
(Continue reading)

Permalink | Reply | 0 comments |
headers
Eygene Ryabinkin | 3 Oct 2008 17:43
Picon
Favicon

Re: "Exploit creation - The random approach" or "Playing with random to build exploits"

Nelson, good day.

Thu, Oct 02, 2008 at 06:53:43PM -0300, Nelson Brito wrote:
> > Well, actually that's because the polymorphic code for viruses and worms
> > came even before, and was already a beaten issue.
> 
> I didn't get this age (Virus Age), sorry.

Then you'll be probably interested in a polymorph named 1260,
  http://www.informit.com/articles/article.aspx?p=366890&seqNum=5
and a famous Mutation Engine from Dark Avenger,
  http://vx.netlux.org/vx.php?id=em11

These are real history now, but they are still interesting.
--

-- 
Eygene
Permalink | Reply | 0 comments |
headers
saintarmin | 3 Oct 2008 19:54
Picon
Favicon

Looking for a thesis topic in the area of IDS

Hi !!!

I am looking for a thesis topic in the area of IDS  any ideas, any help would be greatly appreciated

thanks so much

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
zubair.shafiq | 5 Oct 2008 02:06
Picon
Favicon

Re: Looking for a thesis topic in the area of IDS

Botnet detection is a very hot topic. But it is very difficult to get hold of any network traces for
experimentation. 

Recently Gu has done the first thesis on Botnet at Georgia Tech.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 501 comments |
headers
"Zow" Terry Brugger | 6 Oct 2008 20:39
Picon
Favicon

Re: Looking for a thesis topic in the area of IDS

> Botnet detection is a very hot topic. But it is very difficult to get hold of any network traces for experimentation.
>
> Recently Gu has done the first thesis on Botnet at Georgia Tech.

Yes, botnets have certainly become a lot more interesting than a lot
of the flash worms and the like we were seeing five years ago. A lot
of this is because they avoid detection so that they can keep on doing
their thing. Furthermore, a lot of them act more like trojans than
exploit code (relying on some user interaction), making signature
generation for them more difficult. Incidentally, Gu just started at
Texas A&M -- great guy, really sharp.

My interest is still in network based intrusion detection, and the
biggest problem in this arena is the lack of good datasets to test
from. Furthering this problem is that static datasets are no longer
sufficient for testing, given the rate at which network traffic
changes and how diverse different network segments are. A really
useful research project to this end would be a framework for
generating test datasets which could be tuned to generate different
traffic profiles for different environments. The trick to that is
verifying that the traffic the framework is generating is close enough
to real traffic to be useful: that's the topic of my current research,
and I'd be happy to talk to anyone on that topic at length.

Beyond that, I think an analysis of existing network traffic would be
useful. There is a great deal of debate regarding things such as how
much network traffic is malicious in nature? How much is benign, but
anomalous? How much malicious traffic is actually anomalous? There are
a number of studies of sources of anomalous network traffic: RFC 2525
is a good start, Floyd and Paxson "Difficulties in modeling the
(Continue reading)

Permalink | Reply | 501 comments |
headers
Security Group | 20 Oct 2008 14:12
Picon

Host Based IDS

Hello,

I am currently evaluating several host-based Intrusion Detection
Systems to monitor servers in a DMZ. My company only wants to monitor
for suspecious behaviour on critical servers, without the need for a
company wide security system. I am not interested in a network-bases
ids because this is already covered by our company.
The list below contains my findings so far;

OSSEC
Open Source Tripwire
SAMHAIN
OSIRIS
AIDE
Third Brigade Deep Security
Symantec Critical System Protection
IBM Proventia
Enterasys Dragon IDS/IPS
McAfee Total Protection for Endpoint
CA Host-Based Intrusion Prevention System r8
GFiEventsManager
Cisco Security Agent

I am thinking of suggesting OSSEC. Does anyone have any other suggestions?

Thanks in advance.

Kind regards,

Babel Timon
(Continue reading)

Permalink | Reply | 15 comments |
headers
Stefano Zanero | 20 Oct 2008 21:01
Picon
Favicon

Re: Host Based IDS

Security Group wrote:

> I am currently evaluating several host-based Intrusion Detection
> Systems to monitor servers in a DMZ. 

Which type of servers ?

> OSSEC

Which is a log-based IDS...

> Open Source Tripwire

This is a file alteration monitor...

> IBM Proventia
> Enterasys Dragon IDS/IPS

Aren't these NIDS ?

> Cisco Security Agent

This is an anomaly-based HIDS...

You are comparing apples, oranges, bananas and lemons together... this
is not really productive.

> I am thinking of suggesting OSSEC. Does anyone have any other suggestions?

Maybe you should clarify with yourself what you are actually trying to
(Continue reading)

Permalink | Reply | 4 comments |
headers
Brad Lhotsky | 20 Oct 2008 22:29
Picon

Re: Host Based IDS

OSSEC does more than just log-based detection.  It has hash-based file
integrity checksumming, rootkit detection, and the distributed
active-response mechanism to immunize all agents against threats
detected on just a single node.

OSSEC is a very powerful and promising product.  It won't function like
a NIDS, so it's not a complete solution.  It is however a great piece to
a complete solution.

Stefano Zanero wrote:
> Security Group wrote:
> 
>> I am currently evaluating several host-based Intrusion Detection
>> Systems to monitor servers in a DMZ. 
> 
> Which type of servers ?
> 
>> OSSEC
> 
> Which is a log-based IDS...
> 
>> Open Source Tripwire
> 
> This is a file alteration monitor...
> 
>> IBM Proventia
>> Enterasys Dragon IDS/IPS
> 
> Aren't these NIDS ?
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Kirk, James P. | 20 Oct 2008 23:32
Picon
Favicon

RE: Host Based IDS

Babel said:

> > Enterasys Dragon IDS/IPS

Then Stefano said:

> Aren't these NIDS ?

Dragon does HIDS as well.

 
J. Kirk

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Permalink | Reply | 0 comments |
headers
Dharmendra T | 21 Oct 2008 07:42
Picon

Re: Host Based IDS

Dear Babel,

I would suggest you to go for Symantec Critical system protection. It 
has lot of functionalities and cost effective,

Regards,
Dharmendra T.

Security Group wrote:
> Hello,
>
> I am currently evaluating several host-based Intrusion Detection
> Systems to monitor servers in a DMZ. My company only wants to monitor
> for suspecious behaviour on critical servers, without the need for a
> company wide security system. I am not interested in a network-bases
> ids because this is already covered by our company.
> The list below contains my findings so far;
>
> OSSEC
> Open Source Tripwire
> SAMHAIN
> OSIRIS
> AIDE
> Third Brigade Deep Security
> Symantec Critical System Protection
> IBM Proventia
> Enterasys Dragon IDS/IPS
> McAfee Total Protection for Endpoint
> CA Host-Based Intrusion Prevention System r8
> GFiEventsManager
(Continue reading)

Permalink | Reply | 0 comments |

Gmane