How to reduce IDS's sluggish and false positives
Release Date: 2002-01-29
Abstract:
[China Computer News] 01-12-6
Currently, the leakage rate and false positive rate is too high, which has always been a major problem of iDS users.
At first, the hackers generally escape the IDS monitoring by fractional methods for IP packages, many IDS systems have no fragments.
Restructuring the ability. So these IDS systems cannot identify attacks using fragmentation techniques. If your NIDS system cannot be broken
SMIN, consider replacing your product or require the product vendor to provide you can perform an upgrade version of the fragmentation.
Policy-based NIDS tend to define default ports in rules, usually assume that destination ports are unique, for example
Trojan port is defined as the default port of the Trojan, and most Trojan's communication port can be changed, so that most
The NIDS system cannot identify this Trojan attack. We believe that the default port with Trojans is not a single match rule.
Rely, the Trojans should be analyzed in-depth analysis, and a variety of features of the integrated Trojans can reduce the leaks and false positives.
Some people have proposed a new way to evade IDS and attacks with a unique vulnerability with the agreement. Such as returning to DNS request
In the package, in order to save space, the compressed method is used to point to the domain name, and there is no need to use in the DNS request package.
Sign, but at least BIND 8X version is explained on the compression flag in the request package. This constructs a compressed sign
The attack package, the BIND 8X daemon accepts and handles, but the IDS system that uses the mode match will not find it. Robert
Graham's demo indicates that there are similar vulnerabilities in multiple protocols such as DNS, FTP, RPC. For IDS that matches mode
Say, the vulnerability on this protocol is what it cannot be identified, and the solution to the solution is to use an agreement-based IDS system.
The collected data first analyzes the decoding and match, or uses the process-based IDS, such as NFR's NIDs, can write
Test the N-CODE code of this kind of attack. Both methods reduce some properties, but it is difficult to two.
There is also a topic how to reduce the leakage rate and false positive rate of port scans, and the method used by early IDS is to define one.
In the period, the number of connections exceeding a certain predetermined value is found during this time period, it is considered to be a port scan. this method
The disadvantage is that if the scan is more than the defined period of time, the scanned port is less than the number of connections for the reservation, then
This scan will not be recognized. The method of solving is to analyze the collected long-term data, so some very slow sweep
The description fled the IDS monitoring. The above solution is reflected in the "Tianye" intrusion detection system 2.0 of the Chinese Netwate.
