Section: .. / papers / IDS /
| /// File Name: |
ACF48CB.doc |
Description:
|
A Distributed Approach to Network Security - Paper which gives a overview of Distributed attacks and how IDS systems can detect them, and about the future of IDS systems and distributed attack tools.
| | Author: | Joe Walko | | File Size: | 194560 | | Last Modified: | Feb 2 01:04:56 2000 |
| MD5 Checksum: | f915af90ef1c722174323d1eb29851b9 |
|
| /// File Name: |
anomaly_rules_def.pdf |
Description:
|
This paper discusses using Snort as an anomaly based IDS, outlining the utilization of different deployments with listings of advantages and disadvantages.
| | Author: | Lubomir Nistor | | File Size: | 21704 | | Last Modified: | Jan 27 21:05:35 2003 |
| MD5 Checksum: | 840f4fe86e49259b4ae53ed522238238 |
|
| /// File Name: |
Architecture.PDF |
Description:
|
White paper on the AIRIDS architecture ideology and framework that allows for an IDS to intelligently respond to attacks automatically.
| | Author: | Thomas Munn | | File Size: | 49871 | | Last Modified: | Mar 29 05:53:08 2003 |
| MD5 Checksum: | c292a8361cad98db519d7b55aaa33e87 |
|
| /// File Name: |
atstake_opensource_forensics.pdf |
Description:
|
Open Source Digital Forensics Tools: The Legal Argument - This paper addresses digital forensic analysis tools and their use in a legal setting. To enter scientific evidence into a United States court, a tool must be reliable and relevant. The reliability of evidence is tested by applying "Daubert" guidelines. To date, there have been few legal challenges to digital evidence, but as the field matures this will likely change. This paper examines the Daubert guidelines and shows that open source tools may more clearly and comprehensively meet the guidelines than closed source tools.
| | Author: | Brian Carrier | | Homepage: | http://www.atstake.com/research/tools/task | | File Size: | 175255 | | Last Modified: | Oct 10 04:07:44 2002 |
| MD5 Checksum: | 05afeff39bd1b2eed4c61fd5f2f1652c |
|
| /// File Name: |
canada93.ps |
Description:
|
Detecting Intruders in Computer Systems
| | File Size: | 216969 | | Last Modified: | Oct 1 23:22:47 1999 |
| MD5 Checksum: | 7d12e00b158d8df7672635a7f4c4f225 |
|
| /// File Name: |
fingerprint-port80.txt |
Description:
|
Fingerprinting Port 80 Attacks - This paper looks at some of the signatures that are used in web server attacks and what to look for in your logs.
| | Author: | Zenomorph | | Homepage: | http://www.cgisecurity.com | | File Size: | 23294 | | Last Modified: | Nov 6 08:03:44 2001 |
| MD5 Checksum: | 75f97cc427a782ee2a221d5344634bbd |
|
| /// File Name: |
fingerprinting-2.txt |
Description:
|
Fingerprinting Port 80 Attacks - A look into web server, and web application attack signatures, Part Two. Includes fingerprints, advanced fingerprints, cross site scripting examples, modified headers, more encoding, webserver codes and logging, and more.
| | Author: | Zenomorph | | Homepage: | http://www.cgisecurity.com | | File Size: | 29111 | | Last Modified: | Mar 8 08:50:24 2002 |
| MD5 Checksum: | 017c5af72321622e81779bcd097b07fa |
|
| /// File Name: |
fingerprinting.txt |
Description:
|
IDing remote hosts, without them knowing. This paper details the process of Passive Fingerprinting. Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all you need to do is capture packets sent from the remote system. Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Just like in active fingerprinting, passive fingerprinting is based on the principle that every operating system's IP stack has its own idiosyncrasies.
| | Author: | analyzing sniffer traces and identifying these differences, you may be able determine the operating system of the remote host. Craig Smith has written a proof of concept tool called passfing.tar.gz. Homepage here. | | File Size: | 10618 | | Last Modified: | May 16 23:16:40 2000 |
| MD5 Checksum: | 2aa7b3dc1c6b55b5165fe2debf6d98a4 |
|
| /// File Name: |
grids.pdf |
Description:
|
The Design of GrIDS - A whitepaper on a graph based Intrusion Detection System. GrIDS is a prototype intrusion detection system that was designed to explore the issues involved in doing large scale IDS.
| | Author: | Steven Cheung | | Homepage: | http://seclab.cs.ucdavis.edu/papers.html | | File Size: | 633131 | | Last Modified: | Jan 28 00:21:00 2000 |
| MD5 Checksum: | 8f3879879bd8712a1e08ccc9eb5f9be0 |
|
| /// Directory: |
/ hids / |
Description:
|
White paper section discussing host-based intrusion detection systems
| | Total Files: | 30 | | Last Modified: | Nov 10 21:30:43 2006 |
|
| /// File Name: |
ids.ps |
Description:
|
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection by Thomas H. Ptacek.
| | File Size: | 748909 | | Last Modified: | Apr 20 01:47:38 2000 |
| MD5 Checksum: | 86520fa1e5b1cd86f19fdc232c0ad13d |
|
| /// File Name: |
Increasing_Performance_NIDS.pdf |
Description:
|
Increasing Performance in High Speed NIDS is a paper discussing a number of methods to increase performance in Snort and also NIDS in general. Discusses bottlenecks that Snort has, a brief history of snort pattern matching, and the work that Silicon Defense did with Aho-Corasick_Boyer-Moore, discussing the differences between network grep and protocol analysis.
| | Author: | Neil Desai | | Homepage: | http://www.snort.org | | File Size: | 341044 | | Last Modified: | Mar 8 08:44:45 2002 |
| MD5 Checksum: | c12ed4958867665a73045b0276cf74d0 |
|
| /// File Name: |
insidethreat.txt |
Description:
|
Protecting Corporate and Enterprise Networks Against Insider Threats - The aim of this text is to provide a basic understanding of how important it is to maintain security within the corporate network, and to offer some theory and technique that the Hacker (The insider) may use or may be using to penetrate vital systems within your organization.
| | Author: | Reflux | | File Size: | 8857 | | Last Modified: | Jul 25 22:01:57 2001 |
| MD5 Checksum: | 5b492c808a0e767a4868c29d6c156796 |
|
| /// File Name: |
intv2-8.pdf |
Description:
|
"Interpreting Network Traffic" takes a look at modern reconnaissance activity from the viewpoint of the intrusion detection analyst. The author introduces general principles of network intrusion detection, and explains the basics of a TCP connection through its representation in TCPDump format. He then dissects specific network events in TCPDump format, including scans, third party effects of SYN floods, and load balancing systems. He also presents an argument to refute the existence of "reset scans."
| | Author: | Richard Bejtlich | | File Size: | 89053 | | Last Modified: | Nov 5 01:02:23 2000 |
| MD5 Checksum: | 087154ed8b13dd2a529f7bcd3cdf7e38 |
|
| /// File Name: |
kaletonidspaper.pdf |
Description:
|
This paper investigates combining Misuse and Anomaly based IDS into one system. Misuse detection consists of defining malicious network traffic and monitoring for it. Anomaly detection consists of defining normal or typical network traffic and then detecting anything else. The perl source code for a prototype NIDS is included (requires TCPDump).
| | Author: | Kaleton Internet | | Homepage: | http://www.kaleton.com/research | | File Size: | 192860 | | Last Modified: | Feb 24 01:04:45 2003 |
| MD5 Checksum: | dcad0a1937d11540a93ae660a495b624 |
|
| /// File Name: |
lisapaper.ps |
Description:
|
PostScript version of "Snort - Lightweight Intrusion Detection for Networks"Authored By Martin Roesch! This paper discusses the architecture, performance, and uses of Snort. If makes a comparative analysis of Snort to some other wellknown programs used for similar purposes. There is also a nice rules tutorial contained in the document for those of you wanting to know how the rules system works.
| | Author: | Martin Roesch | | File Size: | 530705 | | Last Modified: | Oct 13 21:04:24 1999 |
| MD5 Checksum: | 1d27278603ea1903c21f03c671723df5 |
|
| /// File Name: |
lisapaper.txt |
Description:
|
Text version of "Snort - Lightweight Intrusion Detection for Networks"Authored By Martin Roesch! This paper discusses the architecture, performance, and uses of Snort. If makes a comparative analysis of Snort to some other wellknown programs used for similar purposes. There is also a nice rules tutorial contained in the document for those of you wanting to know how the rules system works.
| | Author: | Martin Roesch | | File Size: | 39944 | | Last Modified: | Oct 13 21:04:24 1999 |
| MD5 Checksum: | fee18e897cbd585eb3d1635ec64cd58b |
|
| /// Directory: |
/ nids / |
Description:
|
White paper section discussing network intrusion detection systems
| | Total Files: | 49 | | Last Modified: | Nov 10 21:30:49 2006 |
|
| /// File Name: |
OffensiveUseofIDS.pdf |
Description:
|
Offensive Use of IDS - This paper explores ways Intrusion Detection Systems (IDS) can be used for offensive purposes. It gives a brief technical outline of determining which TCP services are running on a network using passive monitoring.
| | Author: | Coretez Giovanni | | Homepage: | http://www.8thport.com | | File Size: | 20164 | | Last Modified: | Jun 26 08:25:47 2000 |
| MD5 Checksum: | 2ea691ce01ff4f3fb49226b16ebffac4 |
|
| /// File Name: |
OIR.pdf |
Description:
|
This paper puts forth the concept of intrusion resiliency as an emergent behavior that occurs within coupled intrusion detection and intrusion response mechanisms when the mechanisms, as a whole, exhibit a key set of identified attributes. An Illustrative example of how these attributes interact with each other to produce this behavior is given in the form of the Saint Jude Linux Kernel Module.
| | Author: | Tim Lawless | | Homepage: | http://www.sourceforge.net/projects/stjude | | File Size: | 305039 | | Last Modified: | May 14 06:52:36 2002 |
| MD5 Checksum: | 5b518c15a0f84d085f417ddc32788e2b |
|
| /// File Name: |
optimizeNFR1.pdf |
Description:
|
White paper discussing the optimization of Network Flight Recorder (NFR) and attack signatures overall when it comes to the MS-SQL Hello buffer overflow.
| | Author: | benjurry | | Homepage: | http://www.xfocus.org | | File Size: | 130704 | | Last Modified: | Aug 14 03:36:27 2003 |
| MD5 Checksum: | 32f914ab637812862a099ea830179528 |
|
| /// File Name: |
PassiveMappingviaStimulus.pdf |
Description:
|
Passive Mapping: The Importance of Stimulus - This paper is a follow-on to the first Passive Mapping paper. It examines the difference between active and passive mapping and gives some examples of how this difference can be implemented.
| | Author: | Coretez Giovanni | | Homepage: | http://www.8thport.com | | File Size: | 25696 | | Last Modified: | Jun 26 08:32:15 2000 |
| MD5 Checksum: | dafefead7021248954b91fcc6d33137d |
|
| /// File Name: |
reqts94.ps |
Description:
|
Software Requirements Specification: Next Generation Intrusion Detection Expert System
| | File Size: | 227436 | | Last Modified: | Oct 1 23:22:47 1999 |
| MD5 Checksum: | a22db6757386780558f1d1bf9ec5ca87 |
|
| /// File Name: |
safegard.ps |
Description:
|
SAFEGUARD Final Report: Detecting Unusual Program Behavior Using the NIDES Statistical Component
| | File Size: | 664104 | | Last Modified: | Oct 1 23:22:47 1999 |
| MD5 Checksum: | 1b37424b1f8d58603c25fb4551abc8a3 |
|
|
|
|
|
![.:[ packet storm ]:.](/images/ps-ani.gif)
