(I know this overlaps with the Intrusion detection list, but I think that
reacting to people knocking on your front door is also a firewalls issue)
Sick Puppy wrote:
> Wolfgang made some interesting points on using pattern matching software
> to detect any suspicious activity and having it trigger some action by
> the firewall.
>
> While this approach would guard against known types of attack, it would
> not be able to detect attacks where the pattern is unknown.
This all depends upon how you code your detector. If your program
only matches the footprints of Satan, ISS, and other known programs, you are
only protected for those attacks. But if your code is more general, looking
at generic patterns of connections that your site has determined as "bad", Satan
and ISS will probably be a subset of these generic patterns. When coding
automatic detectors/countermeasures you need to look for trees, not just oaks
and maples.
The other thing that you have to decide for your detector is the
time frame to look at. Courtney (or at least 1.0--I haven't looked at 1.1
yet) looks at connections over the last 7 minutes. All you need to do to break
this is slow Satan down with the equivilent of a bunch of sleep()s and Courtney
wouldn't see anything. Maybe the last 30 minutes is the timeframe that you
want to look at. Personally, I'd like to have a program that was generic
enough to look at the last n minutes (where you define n to suit your needs)
and a version that looks at all connections over the last day, week, whatever,
that tries to catch the sneaky, patient cracker. Of course if he was really
sneaky, he'd run his version of Satan (or his equivalent) issuing one detectable
event from a different site over a long span of time...
-Benjamin Smith
----------------
Science Applications International Corporation
Naval Air Warfare Center, Weapons Division, China Lake
bens @
archimedes .
vislab .
navy .
mil
1972 Land Rover Series III 88
References:
|
|
