From owner-freebsd-security@FreeBSD.ORG Tue Oct 19 16:18:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEB7E16A4CE; Tue, 19 Oct 2004 16:18:27 +0000 (GMT) Received: from r3p34.chello.upc.cz (r3p34.chello.upc.cz [213.220.207.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1E2543D2D; Tue, 19 Oct 2004 16:18:26 +0000 (GMT) (envelope-from plusik@pohoda.cz) Received: from eddie.chello.cz (localhost [127.0.0.1]) by eddie.chello.cz (8.12.10/8.12.10) with ESMTP id i9JG3BSF001222; Tue, 19 Oct 2004 18:03:11 +0200 (CEST) (envelope-from plusik@pohoda.cz) Received: from localhost (plusik@localhost)i9JG3BZw001219; Tue, 19 Oct 2004 18:03:11 +0200 (CEST) (envelope-from plusik@pohoda.cz) X-Authentication-Warning: eddie.chello.cz: plusik owned process doing -bs Date: Tue, 19 Oct 2004 18:03:11 +0200 (CEST) From: Tomas Pluskal X-X-Sender: plusik@localhost To: "Devon H. O'Dell" In-Reply-To: <41751ADA.40107@sitetronics.com> Message-ID: <20041019174231.S958@localhost> References: <20041019133439.X604@localhost> <41751ADA.40107@sitetronics.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org cc: freebsd-hackers@freebsd.org Subject: Re: new intrusion detection system X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Oct 2004 16:18:28 -0000 > > At a first glance of this email, I thought ``An IDS based upon SpamAssassin > ideology? Intrusions differ too much from spam for this to be accurate!'' > After reading your thesis, my ideas were changed. I agree with you that this approach for IDS cannot be as accurate as SpamAssassin is accurate with spam detection, because the intrusion detection problem is more complex and has many complications (I have also mentioned this in the thesis). But still this approach has its benefits. > This work is certainly very interesting, and I encourage you to continue its > development. Certainly one thing that would be desirable that I did not see > listed in the improvements section (and many other IDS systems, such as Bro) > would be the ability to carry out some action (instead of pure reporting) > based upon behavior; this would allow for IDS as well as IPS behavior. It is not listed in the improvements section, because it is already a part of the IDS - it has 6 configurable actions to invoke when the process score reaches defined level. It is also possible to add new actions as "submodules". > > I'm quite interested and impressed by the work you've done here. Do you have > any plans of setting this up as a collaborative project? Can I help you by > providing a place for you to do this? I have made this public right now, and looking at the responses, I am thinking about starting a project. Perhaps SourceForge would be a good place where to start. Looking for volunteers, of course :) Tomas