Rules / Anomaly Based Hybrid
Results 1 to 2 of 2

Thread: Rules / Anomaly Based Hybrid

  1. #1
    AO Security for Non-Geeks tonybradley's Avatar
    Join Date
    Aug 2002

    Rules / Anomaly Based Hybrid

    There is no clear answer which solution is better as they have their advantages and disadvantages, but there is a possibility to put the rule-based IDS solutions in use as if they were anomaly based. This document describes possible ways of doing that by modifying the signatures. All the examples and solutions are based upon Snort IDS that is open-source solution freely available and well established on the market. Although this solution is open-source there are many companies offering support or even appliance or turnkey solutions.

    The methods discussed in the paper from Packet Storm are interesting. It sounds very similar to the methods used by Securify (see my Securify SecureVantage post).

    By making up rules that attempt to detect anomalous traffic you can potentially use rules-based IDS to detect threats for which you don't currently have a signature.

    Its not fool-proof (aside from disconnecting from the Internet and turning your computer off- what is?) but it is an intriguing paper.

  2. #2
    Senior Member VicE$DoS$'s Avatar
    Join Date
    Nov 2002
    If this is something you have an interest in check out

    Its all a bit biased towards ISS RealSecure but does has some conceptionally interesting points.

    I remember when Nihil was ickle. Does that mean I'm old?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts