[Dshield] Signature-based defense in '03/'04

Chris Brenton cbrenton at chrisbrenton.org
Tue Jan 6 15:43:15 GMT 2004

What up dude,

On Mon, 2004-01-05 at 14:36, Pete Cap wrote:
> how would you rate the performance of your intrusion-detection system?

My two favorites are Snort and Dragon. Both have their strengths and

> What's your opinion on signature-based defense versus anomaly-detection-based defense?

Again, both have their strengths and weaknesses. Signatures are good for
catching what you expect, but miss everything else. Anomaly catches the
stuff you didn't expect, but can generate more false positives (if we
are talking on the wire, host based is pretty accurate). 

Also, nothing says you can't tweak your signature IDS to look for
anomalies. For example, consider the following Snort rule:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"Small MTU";
fragbits:M; dsize: < 500;)

So this alerts on any IP packets that have the "more fragments" bit set,
and a payload less than 500 bytes in size (note this rule will not work
if its a TCP packet *and* you are doing stream reassembly for the target
port). This would be an odd packet as you would need to cross an MTU of
less than 520 bytes or so for this to kick in. That or hard set your
system to an MTU below this level.

So little Bobby the script kiddie comes up with a 0-day against your IIS
Web server and decides to frag the stream to fly in under the radar.
Because the packets are not normal, you would capture the data and
(hopefully) figure out what is going on. 

So instead of using your signature based IDS to look for a specific
signature, you clue in on what's not normal for your environment. This
is the same as an anomaly system, they just do the work for you.

> How much faith are you putting into your system in the new year?

I don't trust any one solution fully, that's why I use defense in-depth
(now available as a handy aerosol with "Pine" fresh scent! ;-)

Seriously, its the strengths and weaknesses thing. Its a great solution
for what it does, no more, no less.

> At the moment I am trying to convince my employer that it is worth the time & money expenditure to add an anomaly-detection system or hybrid system,

If you are a Snort user, check out:

pretty cool stuff. :)


More information about the list mailing list