[Discussion] Features suggestion

Fri Nov 14 15:41:16 UTC 2008

Hi all,

Following on from what Jeremy raised regarding knowing what happened after
an alert fired - given that we need to see the subsequent packets in a
stream (after the triggering one(s)) to determine if an exploit was
successful, in some situations couldn't that be automated by the IDS? Like
extending the flowbits function of snort to not just detect an attempted
exploit, but evaluate the victim response to determine if the attack was
successful or not. Or perhaps at least confirming that it failed, and thus
issuing a lower severity alert.

For example, a web attack is detected, the equivalent of a flowbit for
'web-attack' is set, and the ids checks for a 404 (or similar) response - if
so, it suggests the attack was unsuccesful. If it sees a 200 OK server
response, the alert has higher severity.

Or watching for succesful brute force attacks - easy for a signature to
detect many attempts to login in a short space of time, perhaps detect many
failed attempts in a short space of time - of more interest is many failed
and then successful  -okay, perhaps this belongs in the realm of a
correlation SIEM app, but a thought.

Mainly, I'm thinking why not offload some of the analyst work of
investigating network traffic associated with an ids signature match onto
the ids itself. At least as far as server response goes - most signatures
are built to answer the question - 'is this traffic malicious or not?' Why
not build them so they also try to answer - 'and was it successful or not?'

Cheers,
Christian
<discussion%40openinfosecfoundation.org?Subject=%5BDiscussion%5D%20Features%20suggestion&In-Reply-To=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081115/28d496da/attachment-0002.html>