Date: Tue, 19 Oct 2004 23:55:01 +0200 From: "Devon H. O'Dell" <dodell@sitetronics.com> To: Brian Barto <bartobri@comcast.net> Cc: freebsd-security@freebsd.org Subject: Re: new intrusion detection system Message-ID: <41758D35.2070708@sitetronics.com> In-Reply-To: <F275E97D-2217-11D9-A30A-000A95886E00@comcast.net> References: <20041019133439.X604@localhost> <F275E97D-2217-11D9-A30A-000A95886E00@comcast.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Barto wrote: > Very interesting stuff. Certainly worth more investigation. > > Something occurred to me while I read your thesis. Though maybe it was > worth a mention. The TTL (time to live) could potentially cause the IDS > module to be easily beaten. An attack could begin and immediately go > into a sleep state with the intent to expire the TTL. Later resuming > with it's actions going unnoticed. > > I hope to see more on this. I think it is a very creative and useful idea. > > Thanks, > Brian This is certainly something that will need to be researched and tuned in practical environments. In many cases, it's not practical to wait for over a certain period of time to perform the combination of commands needed to exploit software due to network or file issues. But it is a very valid point. --Devon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41758D35.2070708>