|
|
|
|
|
| FAQ | |||
|
|
The intrusion events can be triggered in a number of ways:
- pattern-search
- Blindly scans the payload looking for a specific pattern. For example, when triggering on FTP globbing, the sensor will search for asterisks within filenames.
- pattern-match
- Grabs a field value from a protocol and compares it against a well-known value for that field. For example, it might grab the user name during an FTP login and look it up in a list of FTP user names that are known to be bad.
- protocol-validation
- Doesn't look for patterns within the data, but analyzes the structure of the protocol carrying the data. For example, the sensor looks at the length of a user's login name, and triggers when it exceeds 100 characters, because no user has login names that long.
- state-based
- Remembers things from multiple packets. There is no one packet that triggers the signature. The sensor must look at many packets before triggering. For example, an FTP server might attack a client by returning bad data in a NLST command. This data comes from a different TCP connection unrelated to the original FTP control connection. The sensor must correlate different pieces of information it saw from these two connections.
Note that most intrusion signatures are a combination of these techniques.
False Positives
When trying to determine whether a triggered event is a false-positive, the nature of the signature is very important. Pattern-search events have the highest number of false-positives, because they don't understand the context within which the pattern occurs. State-based signatures should have the lowest incidence of false-positives because a number of things must occur before they trigger.
Version appeared: