On Wed, 2002-12-04 at 07:52, sam wrote:
> It seems a good tool to use. Is it another signature-based IDS, not anything
> like Flow-based IDS?
> sam
For now it is signature based (with some state, eg: ip-defragmentation
and tcp state tracking) but I am actually aiming towards what I guess
you mean by flow-based.
In the near future firestorm will support TCP stream reassembly, full
application layer decode for selected protocols and also application
layer state tracking.
For example, SMTP state tracking such that if an attacker connects to an
SMTP server and sends "VRFY root\r\n", firestorm will only alert if the
it was done in state (eg: after a successful "MAIL" command, and not as
part of the body of a mail message).
Is this the kind of thing you mean by 'flow based'?
Personally I cant wait to implement this. I get a lot of false positives
in POP3, where some POP3 commands are interpreted as viruses inside
email, and also large HTTP POSTs where post data is interpreted although
it were part of the request.
PS. I am also researching a few different methods for doing anomaly
detection too, more on that when I get something implemented.
Thanks for the interest.
--
// Gianni Tedesco (gianni at ecsc dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Received on Dec 05 2002
Intro
