TCP filter (the filter itself, and its value file)
Small article on protocol anomaly detection
and finally:
Thesis report: Guidelines for a Long Term Competitive Intrusion Detection System
Abstract:
Intrusion Detection Systems (IDSs) are the computer equivalent of office
burglar alarms: they aim at monitoring computer networks for detecting
attacks and intrusions. IDSs are becoming one of the main security
components in secured network environments. Though rewarding, their
mission is also challenging and IDSs are facing a few major obstacles.
Analyzing these obstacles in order to define the guidelines for an
IDS
that would remain efficient on a long term scale is the project of
this
master thesis.
The study starts with an overview of practical network security,
followed by a review of current IDS technologies. This provides us
with
a ground for identifying the main challenges facing IDSs, as for example
monitoring encrypted or gigabit traffic, improving alert-flow relevancy
and resisting to evasion technics.
A first approach to solve some of these challenges consists in designing
efficient alert filters, which we will illustrate. A second approach
is
to consider IDSs from a different point of view, seeing them as
information flow processing systems. It thus appears that an efficient
IDS could be built by integrating multiple IDSs in a common alert
processing structure.
