new intrusion detection system
Devon H. O'Dell
dodell at sitetronics.com
Tue Oct 19 14:55:03 PDT 2004
Brian Barto wrote:
> Very interesting stuff. Certainly worth more investigation.
>
> Something occurred to me while I read your thesis. Though maybe it was
> worth a mention. The TTL (time to live) could potentially cause the IDS
> module to be easily beaten. An attack could begin and immediately go
> into a sleep state with the intent to expire the TTL. Later resuming
> with it's actions going unnoticed.
>
> I hope to see more on this. I think it is a very creative and useful idea.
>
> Thanks,
> Brian
This is certainly something that will need to be researched and tuned in
practical environments. In many cases, it's not practical to wait for
over a certain period of time to perform the combination of commands
needed to exploit software due to network or file issues. But it is a
very valid point.
--Devon
More information about the freebsd-security
mailing list