From owner-freebsd-hackers@FreeBSD.ORG  Tue Oct 19 21:55:03 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 51AB716A4CE; Tue, 19 Oct 2004 21:55:03 +0000 (GMT)
Received: from smtpq3.home.nl (smtpq3.home.nl [213.51.128.198])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B412243D45; Tue, 19 Oct 2004 21:55:02 +0000 (GMT)
	(envelope-from dodell@sitetronics.com)
Received: from [213.51.128.134] (port=52420 helo=smtp3.home.nl)
	by smtpq3.home.nl with esmtp (Exim 4.30)
	id 1CK1wa-0001nI-FF; Tue, 19 Oct 2004 23:55:00 +0200
Received: from cc740438-a.deven1.ov.home.nl ([82.75.136.183]:4279)
	by smtp3.home.nl with esmtp (Exim 4.30)
	id 1CK1wZ-0006gI-LR; Tue, 19 Oct 2004 23:54:59 +0200
Message-ID: <41758D35.2070708@sitetronics.com>
Date: Tue, 19 Oct 2004 23:55:01 +0200
From: "Devon H. O'Dell" <dodell@sitetronics.com>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Brian Barto <bartobri@comcast.net>
References: <20041019133439.X604@localhost>
	<F275E97D-2217-11D9-A30A-000A95886E00@comcast.net>
In-Reply-To: <F275E97D-2217-11D9-A30A-000A95886E00@comcast.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AtHome-MailScanner-Information: Please contact support@home.nl for more
	information
X-AtHome-MailScanner: Found to be clean
cc: freebsd-hackers@freebsd.org
cc: Tomas Pluskal <plusik@pohoda.cz>
cc: freebsd-security@freebsd.org
Subject: Re: new intrusion detection system
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2004 21:55:03 -0000

Brian Barto wrote:
> Very interesting stuff. Certainly worth more investigation.
> 
> Something occurred to me while I read your thesis. Though maybe it was 
> worth a mention. The TTL (time to live) could potentially cause the IDS 
> module to be easily beaten. An attack could begin and immediately go 
> into a sleep state with the intent to expire the TTL. Later resuming 
> with it's actions going unnoticed.
> 
> I hope to see more on this. I think it is a very creative and useful idea.
> 
> Thanks,
> Brian

This is certainly something that will need to be researched and tuned in 
practical environments. In many cases, it's not practical to wait for 
over a certain period of time to perform the combination of commands 
needed to exploit software due to network or file issues. But it is a 
very valid point.

--Devon