to davinci :
1st, you could have continued this in the old thread as it wasn't that old, has the same basic topic, and people wouldn't have to search for it to see the post and responses here
2nd, I am not a programmer so I can't really help you, butdid you mean libpcap ( note here that it is being maintained by the people at tcpdump ) or for MS Win machines WinPcap ????. what r usefull libraries like libcp or how can tcpdump be used.
to |3lack|ce :
excuse me please if I take this out of order a bit.Everyone logged on your net is a threat!What would you look for that wouldn't show everyone logged to your net as a threat?
Before getting into the technical debate you are looking for I think it important to examine the philosophical area so we know what your idea of “realtime” is.I submit that you can't do a realtime intrusion detection system because:
Is it a system that logs intrusion attempts as they occur to be examined months later only after an admin realizes the box was rooted ?
Or is does it need to flash a big red screen and sound bells and whistles at 11:00 P.M. on Friday when no one will be around to see it until Tuesday ? ( holiday weekend ... they love holiday weekends )
Just looking for a baseline here .....
Remember, I didn't name these things, so don't blame me. I don't believe a true IDS exists. No matter what happens, you need an experienced person to look at and evaluate the results to determine if there is an actual intrusion or attempted intrusion. Maybe they should have called them “ Possible Intrusion of System Security Indicators “ ( PISSI ) ?
back tohow aboutWhat would you look for that wouldn't show everyone logged to your net as a threat?
SCAN nmap XMAS for a start?
or
MS-SQL Worm propagation attempt
ICMP PING CyberKit 2.2 Windows
ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
hope this gets things moving a bit !
Reply With Quote