On Wed, 2002-12-04 at 07:52, sam wrote: > It seems a good tool to use. Is it another signature-based IDS, not anything > like Flow-based IDS? > sam For now it is signature based (with some state, eg: ip-defragmentation and tcp state tracking) but I am actually aiming towards what I guess you mean by flow-based. In the near future firestorm will support TCP stream reassembly, full application layer decode for selected protocols and also application layer state tracking. For example, SMTP state tracking such that if an attacker connects to an SMTP server and sends "VRFY root\r\n", firestorm will only alert if the it was done in state (eg: after a successful "MAIL" command, and not as part of the body of a mail message). Is this the kind of thing you mean by 'flow based'? Personally I cant wait to implement this. I get a lot of false positives in POP3, where some POP3 commands are interpreted as viruses inside email, and also large HTTP POSTs where post data is interpreted although it were part of the request. PS. I am also researching a few different methods for doing anomaly detection too, more on that when I get something implemented. Thanks for the interest. -- // Gianni Tedesco (gianni at ecsc dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Attachment:
signature.asc
Description: This is a digitally signed message part