IDS Mindmap

1. <map version="0.9.0">
2. <!--To view this file, download free mind mapping software Freeplane from http://freeplane.sourceforge.net -->
3. <node TEXT="Intrusion Detection" ID="Freemind_Link_1221257976" CREATED="1285307263421" MODIFIED="1286018625936" COLOR="#000000">
4. <font NAME="SansSerif" SIZE="20"/>
5. <hook NAME="MapStyle" max_node_width="600"/>
6. <hook NAME="accessories/plugins/AutomaticLayout.properties"/>
7. <node TEXT="goals" POSITION="left" ID="Freemind_Link_307336795" CREATED="1285307548015" MODIFIED="1285848144875" COLOR="#0033ff">
8. <font NAME="SansSerif" SIZE="18"/>
9. <edge STYLE="sharp_bezier" WIDTH="8"/>
10. <node TEXT="basic security goals" ID="ID_384228071" CREATED="1285783225717" MODIFIED="1286018647791" COLOR="#00b439">
11. <font SIZE="16"/>
12. <edge STYLE="bezier" WIDTH="thin"/>
13. <node TEXT="confidentiality" ID="Freemind_Link_1535274235" CREATED="1285307560656" MODIFIED="1286053833400" COLOR="#990000">
14. <font NAME="SansSerif" SIZE="14"/>
15. <edge STYLE="bezier" WIDTH="thin"/>
16. </node>
17. <node TEXT="integrity" ID="Freemind_Link_661023599" CREATED="1285307567078" MODIFIED="1286053838020" COLOR="#990000">
18. <font NAME="SansSerif" SIZE="14"/>
19. <edge STYLE="bezier" WIDTH="thin"/>
20. </node>
21. <node TEXT="availability" ID="Freemind_Link_685714635" CREATED="1285307571453" MODIFIED="1286053841224" COLOR="#990000">
22. <font NAME="SansSerif" SIZE="14"/>
23. <edge STYLE="bezier" WIDTH="thin"/>
24. </node>
25. </node>
26. <node TEXT="specific goals of intrusion detection" ID="ID_1855599575" CREATED="1285783238604" MODIFIED="1286018661213" COLOR="#00b439">
27. <font SIZE="16"/>
28. <edge STYLE="bezier" WIDTH="thin"/>
29. <node TEXT="primary" ID="ID_205592953" CREATED="1285783256645" MODIFIED="1286053848429" COLOR="#990000">
30. <font SIZE="14"/>
31. <node TEXT="burglar alarm: detect successful intrusions" ID="ID_1808175223" CREATED="1285783264237" MODIFIED="1286215222128" COLOR="#111111">
32. <font SIZE="12"/>
33. </node>
34. <node TEXT="early warning system: detect attack attempts" ID="ID_1277184203" CREATED="1285783276156" MODIFIED="1286053866841" COLOR="#111111">
35. <font SIZE="12"/>
36. </node>
37. <node TEXT="network flight recorder: record suspicious activity" ID="ID_1182721712" CREATED="1285783291828" MODIFIED="1285783324235" COLOR="#111111">
38. <font SIZE="12"/>
39. <node TEXT="guess the name of one early IDS product that was designed by Marcus Ranum ;-)" ID="ID_1951373247" CREATED="1286212130882" MODIFIED="1286212203831" COLOR="#111111" LINK="http://www.ranum.com/">
40. <font SIZE="12"/>
41. </node>
42. </node>
43. </node>
44. <node TEXT="secondary" ID="ID_1233442613" CREATED="1285783261116" MODIFIED="1286053851929" COLOR="#990000">
45. <font SIZE="14"/>
46. <node TEXT="audit system: detect policy breaches" ID="ID_407487940" CREATED="1285783332394" MODIFIED="1286053879412" COLOR="#111111">
47. <font SIZE="12"/>
48. </node>
49. <node TEXT="intelligence/Insight:" ID="ID_709718436" CREATED="1285783356490" MODIFIED="1286215226446" COLOR="#111111" HGAP="18">
50. <font SIZE="12"/>
51. <node TEXT="security posture" ID="ID_1831477083" CREATED="1285783370257" MODIFIED="1285783375028" COLOR="#111111">
52. <font SIZE="12"/>
53. </node>
54. <node TEXT="who is attacking?" ID="ID_1919941960" CREATED="1285783375441" MODIFIED="1285783390707" COLOR="#111111">
55. <font SIZE="12"/>
56. </node>
57. <node TEXT="what is being attacked?" ID="ID_1795477240" CREATED="1285783391153" MODIFIED="1285783399884" COLOR="#111111">
58. <font SIZE="12"/>
59. </node>
60. <node TEXT="how often am I being attacked?" ID="ID_542190721" CREATED="1285783400729" MODIFIED="1285783415805" COLOR="#111111">
61. <font SIZE="12"/>
62. </node>
63. <node TEXT="what kind of vulnerabilites are being attacked?" ID="ID_844744106" CREATED="1285783416618" MODIFIED="1285783432363" COLOR="#111111">
64. <font SIZE="12"/>
65. </node>
66. <node TEXT="how serious are the attacks?" ID="ID_697698140" CREATED="1285783435880" MODIFIED="1285783450016" COLOR="#111111">
67. <font SIZE="12"/>
68. </node>
69. <node TEXT="how&apos;s the threat model changing? trends" ID="ID_77881006" CREATED="1285783450656" MODIFIED="1285783484306" COLOR="#111111">
70. <font SIZE="12"/>
71. </node>
72. <node TEXT="are my security controls adequate?" ID="ID_277432833" CREATED="1285783487575" MODIFIED="1285783498870" COLOR="#111111">
73. <font SIZE="12"/>
74. </node>
75. </node>
76. <node TEXT="detect anomalies and malfunctions" ID="ID_561721523" CREATED="1286053915306" MODIFIED="1286053930673" COLOR="#111111">
77. <font SIZE="12"/>
78. <node TEXT="malconfigured routes" ID="ID_1045144557" CREATED="1286053933689" MODIFIED="1286053940516" COLOR="#111111">
79. <font SIZE="12"/>
80. </node>
81. <node TEXT="unusual high traffic load" ID="ID_905279889" CREATED="1286053941025" MODIFIED="1286053962202" COLOR="#111111">
82. <font SIZE="12"/>
83. </node>
84. <node TEXT="corrupted packets" ID="ID_1318551531" CREATED="1286053963921" MODIFIED="1286053990980" COLOR="#111111">
85. <font SIZE="12"/>
86. </node>
87. </node>
88. </node>
89. </node>
90. </node>
91. <node TEXT="threats" POSITION="left" ID="A0B314DE-2F53-4789-B53F-602903C1527D" CREATED="1285230724936" MODIFIED="1285848141000" COLOR="#0033ff">
92. <font NAME="Dialog" SIZE="18"/>
93. <edge STYLE="sharp_bezier" COLOR="#7f7f7f" WIDTH="8"/>
94. <node TEXT="advanced persistent threats" ID="9D9F0316-849C-4F60-B9A2-24E76F4F829C" CREATED="1285230725030" MODIFIED="1286054020189" COLOR="#00b439">
95. <font NAME="Dialog" SIZE="16"/>
96. <edge STYLE="bezier" COLOR="#9933cc" WIDTH="thin"/>
97. <node TEXT="targeted trojans" ID="290935D8-DE6C-41B5-BAAE-C67CDC3C5C0F" CREATED="1285230725030" MODIFIED="1286054026630" COLOR="#990000">
98. <font NAME="Dialog" SIZE="14"/>
99. <edge COLOR="#9933cc"/>
100. </node>
101. <node TEXT="marketing hype" ID="ID_439513414" CREATED="1285783573988" MODIFIED="1285783578948" COLOR="#990000">
102. <font SIZE="14"/>
103. </node>
104. <node TEXT="not james bond like attacks but merely simple and effective attacks that are very much preventable" ID="ID_922819436" CREATED="1285783579380" MODIFIED="1285783629624" COLOR="#990000">
105. <font SIZE="14"/>
106. </node>
107. </node>
108. <node TEXT="misuse" ID="5535D10F-56AB-4444-B1F2-48471F2F5EF7" CREATED="1285230725030" MODIFIED="1285783636154" COLOR="#00b439">
109. <font NAME="Dialog" SIZE="16"/>
110. <edge STYLE="bezier" COLOR="#19b27f" WIDTH="thin"/>
111. </node>
112. <node TEXT="malware" ID="BB391D34-4549-4C49-AD90-08FA3971909C" CREATED="1285230725030" MODIFIED="1285783654579" COLOR="#00b439">
113. <font NAME="Dialog" SIZE="16"/>
114. <edge STYLE="bezier" COLOR="#7f19b2" WIDTH="thin"/>
115. <node TEXT="trojans" ID="8A43929F-CA53-436E-943D-90B3F2AE6046" CREATED="1285230725030" MODIFIED="1285783659423" COLOR="#990000">
116. <font NAME="Dialog" SIZE="14"/>
117. <edge COLOR="#ccff66"/>
118. </node>
119. <node TEXT="worms" ID="7AF07B4A-5EDC-41A3-BB41-D070143CEE2E" CREATED="1285230725030" MODIFIED="1285783663996" COLOR="#990000">
120. <font NAME="Dialog" SIZE="14"/>
121. <edge COLOR="#66ccff"/>
122. </node>
123. <node TEXT="viruses" ID="D8E73722-9396-4E06-AEFF-8EE6D5C43D4D" CREATED="1285230725030" MODIFIED="1285783939164" COLOR="#990000">
124. <font NAME="Dialog" SIZE="14"/>
125. <edge COLOR="#ffcc66"/>
126. </node>
127. </node>
128. <node TEXT="web application attacks" ID="B115D81F-3841-4D73-B0DF-7D1995392D7C" CREATED="1285230725030" MODIFIED="1285783959473" COLOR="#00b439">
129. <font NAME="Dialog" SIZE="16"/>
130. <edge STYLE="bezier" COLOR="#19b27f" WIDTH="thin"/>
131. <node TEXT="command/code injection" ID="44DF6CD0-18F3-4B1C-A0DD-BB42C90AC595" CREATED="1285230725030" MODIFIED="1286054045880" COLOR="#990000">
132. <font NAME="Dialog" SIZE="14"/>
133. <edge COLOR="#b24ce5"/>
134. </node>
135. <node TEXT="sql-injection" ID="4BBEAF5D-82E7-43CC-BB07-B22022FB3E36" CREATED="1285230725030" MODIFIED="1286054054420" COLOR="#990000">
136. <font NAME="Dialog" SIZE="14"/>
137. <edge COLOR="#e5cc66"/>
138. </node>
139. <node TEXT="remote- / local file inclusion" ID="F12CA71F-3EB7-43D2-A2BA-B3D9A4439F21" CREATED="1285230725030" MODIFIED="1286054065180" COLOR="#990000">
140. <font NAME="Dialog" SIZE="14"/>
141. <edge COLOR="#cc9933"/>
142. </node>
143. <node TEXT="cross site request forgery" ID="B2EFEAF2-3A61-4A30-94C0-A1F6640C0F29" CREATED="1285230725030" MODIFIED="1286054075773" COLOR="#990000">
144. <font NAME="Dialog" SIZE="14"/>
145. <edge COLOR="#4cb2e5"/>
146. </node>
147. <node TEXT="cross site scripting" ID="7D5F6BCE-FF9D-4FB7-B616-1C5A13F4F6A9" CREATED="1285230725030" MODIFIED="1286054084212" COLOR="#990000">
148. <font NAME="Dialog" SIZE="14"/>
149. <edge COLOR="#4ce5b2"/>
150. </node>
151. </node>
152. <node TEXT="script kiddies" ID="4C3C95A4-264D-4465-BD5B-CE2E5AAED2E0" CREATED="1285230725030" MODIFIED="1286054094009" COLOR="#00b439">
153. <font NAME="Dialog" SIZE="16"/>
154. <edge STYLE="bezier" COLOR="#ffe57f" WIDTH="thin"/>
155. </node>
156. <node TEXT="crypto/auth downgrade attacks" ID="90D10DC5-6B7B-4901-BA1E-B8FB94673163" CREATED="1285230725030" MODIFIED="1286211929720" COLOR="#00b439">
157. <font NAME="Dialog" SIZE="16"/>
158. <edge STYLE="bezier" COLOR="#9933cc" WIDTH="thin"/>
159. </node>
160. <node TEXT="data leakage / information disclosure" ID="52DA5D72-366C-4C11-9A07-6BBCCAA8550B" CREATED="1285230725030" MODIFIED="1285784042790" COLOR="#00b439">
161. <font NAME="Dialog" SIZE="16"/>
162. <edge STYLE="bezier" COLOR="#b27f19" WIDTH="thin"/>
163. </node>
164. <node TEXT="buffer overflow exploit" ID="DA39AB09-E209-4AC8-BAA6-4A906766793A" CREATED="1285230725030" MODIFIED="1285784052366" COLOR="#00b439">
165. <font NAME="Dialog" SIZE="16"/>
166. <edge STYLE="bezier" COLOR="#b2e54c" WIDTH="thin"/>
167. </node>
168. <node TEXT="sniffing" ID="C30EDF7E-0683-48F5-B5BE-156617C2C158" CREATED="1285230725030" MODIFIED="1285784056973" COLOR="#00b439">
169. <font NAME="Dialog" SIZE="16"/>
170. <edge STYLE="bezier" COLOR="#99cc33" WIDTH="thin"/>
171. </node>
172. <node TEXT="hacking" ID="81956F09-9D0A-4AF2-BAD8-5591D935D104" CREATED="1285230725030" MODIFIED="1285846185406" COLOR="#00b439" STYLE="fork" HGAP="25" VSHIFT="-30">
173. <font NAME="Dialog" SIZE="16"/>
174. <edge STYLE="bezier" COLOR="#cc66ff" WIDTH="thin"/>
175. </node>
176. <node TEXT="arp poisonig / arp flooding" ID="7D14D386-9B9E-4AA2-BA2A-A976DCDA56AB" CREATED="1285230725030" MODIFIED="1286054109260" COLOR="#00b439">
177. <font NAME="Dialog" SIZE="16"/>
178. <edge STYLE="bezier" COLOR="#33cc99" WIDTH="thin"/>
179. </node>
180. <node TEXT="botnets" ID="B0420337-6AC0-43A6-AF78-A960256D80CB" CREATED="1285230725030" MODIFIED="1285784076757" COLOR="#00b439">
181. <font NAME="Dialog" SIZE="16"/>
182. <edge STYLE="bezier" COLOR="#66ffcc" WIDTH="thin"/>
183. </node>
184. <node TEXT="bruteforce password attacks" ID="8A8731AE-C884-4BAE-B231-F19E860F5140" CREATED="1285230725030" MODIFIED="1285784088285" COLOR="#00b439">
185. <font NAME="Dialog" SIZE="16"/>
186. <edge STYLE="bezier" COLOR="#e5b24c" WIDTH="thin"/>
187. </node>
188. <node TEXT="policy breaches" ID="ED61381E-70CB-46BC-9A1C-F4AEEA86A0D8" CREATED="1285230725030" MODIFIED="1285784097015" COLOR="#00b439">
189. <font NAME="Dialog" SIZE="16"/>
190. <edge STYLE="bezier" COLOR="#197fb2" WIDTH="thin"/>
191. </node>
192. <node TEXT="man in the middle attack" ID="839227DA-8237-4457-B5BD-351B8CFF1E2F" CREATED="1285230725030" MODIFIED="1285784104002" COLOR="#00b439">
193. <font NAME="Dialog" SIZE="16"/>
194. <edge STYLE="bezier" COLOR="#3399cc" WIDTH="thin"/>
195. </node>
196. <node TEXT="social engineering" ID="0BDF8F99-43AF-4115-BA89-3A4FD01E396C" CREATED="1285230725030" MODIFIED="1286054117622" COLOR="#00b439">
197. <font NAME="Dialog" SIZE="16"/>
198. <edge STYLE="bezier" COLOR="#ccb24c" WIDTH="thin"/>
199. <node TEXT="phishing" ID="3087FB26-42C8-4C37-A208-1B79EA623925" CREATED="1285230725030" MODIFIED="1286054122091" COLOR="#990000">
200. <font NAME="Dialog" SIZE="14"/>
201. <edge COLOR="#ccb24c"/>
202. </node>
203. <node TEXT="spear phishing" ID="4CA70671-34FA-40CB-AEEB-B1697A2320E1" CREATED="1285230725030" MODIFIED="1286054129371" COLOR="#990000">
204. <font NAME="Dialog" SIZE="14"/>
205. <edge COLOR="#ccb24c"/>
206. </node>
207. </node>
208. <node TEXT="client side" ID="11DB8A3D-D998-4887-BF2E-F4C9C34DB069" CREATED="1285230725030" MODIFIED="1286054136332" COLOR="#00b439">
209. <font NAME="Dialog" SIZE="16"/>
210. <edge STYLE="bezier" COLOR="#7fb219" WIDTH="thin"/>
211. <node TEXT="driveby download" ID="B12FB8B6-F930-4F97-B324-7A3F1CB02BDB" CREATED="1285230725030" MODIFIED="1286054141204" COLOR="#990000">
212. <font NAME="Dialog" SIZE="14"/>
213. <edge COLOR="#7fb219"/>
214. </node>
215. <node TEXT="blended threats" ID="B9078AE0-2C1B-44DC-8C4F-7CC595B72B78" CREATED="1285230725030" MODIFIED="1286054149231" COLOR="#990000">
216. <font NAME="Dialog" SIZE="14"/>
217. <edge COLOR="#7fb219"/>
218. <node TEXT="Wireless AP spoofing + Airpwn (Karmetasploit) http://www.youtube.com/watch?v=Ne7hof-w0kU" ID="1BE4855B-1935-4FF3-B31C-CAAC8688DCD2" CREATED="1285230725030" MODIFIED="1285763032880" COLOR="#111111">
219. <font NAME="Dialog" SIZE="12"/>
220. <edge COLOR="#7fb219"/>
221. </node>
222. <node TEXT="DLL Hijacking + Auto download (Chrome)  http://www.youtube.com/user/avivra" ID="A770C487-E0D9-40AA-B168-A1624EDA37F2" CREATED="1285230725030" MODIFIED="1285763032880" COLOR="#111111">
223. <font NAME="Dialog" SIZE="12"/>
224. <edge COLOR="#7fb219"/>
225. </node>
226. <node TEXT="USB + Social Enginieering + DLL Hijacking  http://www.attackvector.org/video-demo-of-dll-hijacking-attack/" ID="10D029C4-1FF3-4BF7-BB81-FD4C024062A8" CREATED="1285230725030" MODIFIED="1285763032880" COLOR="#111111">
227. <font NAME="Dialog" SIZE="12"/>
228. <edge COLOR="#7fb219"/>
229. </node>
230. <node TEXT="" ID="Freemind_Link_1508370736" CREATED="1285237319776" MODIFIED="1285763032880" COLOR="#111111">
231. <font SIZE="12"/>
232. </node>
233. </node>
234. </node>
235. <node TEXT="server side" ID="B5E8F791-BEF7-4871-B18A-9CE19558555F" CREATED="1285230725030" MODIFIED="1286054166851" COLOR="#00b439">
236. <font NAME="Dialog" SIZE="16"/>
237. <edge STYLE="bezier" COLOR="#19b27f" WIDTH="thin"/>
238. </node>
239. </node>
240. <node TEXT="analysis-frontend" POSITION="left" ID="ID_278984732" CREATED="1285765289254" MODIFIED="1285848136234" COLOR="#0033ff">
241. <font SIZE="18"/>
242. <edge STYLE="sharp_bezier" WIDTH="8"/>
243. <node TEXT="data (desirable)" ID="ID_791897045" CREATED="1285765498330" MODIFIED="1285847075265" COLOR="#00b439">
244. <font SIZE="16"/>
245. <edge STYLE="bezier" WIDTH="thin"/>
246. <node TEXT="src/dst ip-/mac-addresses" ID="ID_213887695" CREATED="1285765545861" MODIFIED="1285846492406" COLOR="#990000">
247. <font SIZE="14"/>
248. </node>
249. <node TEXT="src/dst ports" ID="ID_1867410646" CREATED="1285846500125" MODIFIED="1285846544796" COLOR="#990000">
250. <font SIZE="14"/>
251. <arrowlink DESTINATION="ID_1867410646" STARTINCLINATION="0;0;" ENDINCLINATION="0;0;" STARTARROW="NONE" ENDARROW="DEFAULT"/>
252. </node>
253. <node TEXT="originating sensor / agent" ID="ID_1002786166" CREATED="1285846571718" MODIFIED="1285846581812" COLOR="#990000">
254. <font SIZE="14"/>
255. </node>
256. <node TEXT="timestamp" ID="ID_463717513" CREATED="1285765559502" MODIFIED="1285846593312" COLOR="#990000">
257. <font SIZE="14"/>
258. </node>
259. <node TEXT="alert category" ID="ID_1145808756" CREATED="1285765565236" MODIFIED="1285846616375" COLOR="#990000">
260. <font SIZE="14"/>
261. </node>
262. <node TEXT="alert criticality" ID="ID_338308092" CREATED="1285765572189" MODIFIED="1285846612015" COLOR="#990000">
263. <font SIZE="14"/>
264. </node>
265. <node TEXT="name of alert / attack" ID="ID_1929351608" CREATED="1285765578158" MODIFIED="1285846632562" COLOR="#990000">
266. <font SIZE="14"/>
267. </node>
268. <node TEXT="detailed description of alert / attack" ID="ID_465476590" CREATED="1285846638625" MODIFIED="1285846652187" COLOR="#990000">
269. <font SIZE="14"/>
270. </node>
271. <node TEXT="signature name/id/pattern that triggered the alert" ID="ID_1788864015" CREATED="1285765594377" MODIFIED="1285846676031" COLOR="#990000">
272. <font SIZE="14"/>
273. </node>
274. <node TEXT="known false positives / false negatives" ID="ID_1043054532" CREATED="1285846811171" MODIFIED="1285846822046" COLOR="#990000">
275. <font SIZE="14"/>
276. </node>
277. <node TEXT="reputation of src-ip / dns-name" ID="ID_474102608" CREATED="1285765604298" MODIFIED="1285846691734" COLOR="#990000">
278. <font SIZE="14"/>
279. </node>
280. <node TEXT="geo-ip information of scr/dst" ID="ID_1295813417" CREATED="1285846880250" MODIFIED="1285846892703" COLOR="#990000">
281. <font SIZE="14"/>
282. </node>
283. <node TEXT="packet-trace" ID="ID_937895639" CREATED="1285765648251" MODIFIED="1285846699250" COLOR="#990000">
284. <font SIZE="14"/>
285. </node>
286. <node TEXT="name and description of attacked vulnerability" ID="ID_712972024" CREATED="1285765730516" MODIFIED="1285846713687" COLOR="#990000">
287. <font SIZE="14"/>
288. <node TEXT="references to cve, bid, cwe, osvdb etc." ID="ID_59800005" CREATED="1285846839656" MODIFIED="1285846925937" COLOR="#111111">
289. <font SIZE="12"/>
290. </node>
291. <node TEXT="recommendations for remediation actions" ID="ID_760771454" CREATED="1285846861593" MODIFIED="1285846928015" COLOR="#111111">
292. <font SIZE="12"/>
293. </node>
294. <node TEXT="available patches and workarounds" ID="ID_1416807518" CREATED="1285846934265" MODIFIED="1285846945359" COLOR="#111111">
295. <font SIZE="12"/>
296. </node>
297. </node>
298. <node TEXT="available information about the target (e.g. running services, contact person, known vulns, target criticality)" ID="ID_241962548" CREATED="1285846975125" MODIFIED="1285847005640" COLOR="#990000">
299. <font SIZE="14"/>
300. </node>
301. </node>
302. <node TEXT="workflow support (desirable)" ID="ID_1856346036" CREATED="1285765764469" MODIFIED="1285847162828" COLOR="#00b439">
303. <font SIZE="16"/>
304. <edge STYLE="bezier" WIDTH="thin"/>
305. <node TEXT="local remediation workflow" ID="ID_1802778959" CREATED="1285765772407" MODIFIED="1285847202968" COLOR="#990000">
306. <font SIZE="14"/>
307. </node>
308. <node TEXT="forwarding workflows (alerting, ticketing, escalation)" ID="ID_957291638" CREATED="1285765781875" MODIFIED="1285847196406" COLOR="#990000">
309. <font SIZE="14"/>
310. </node>
311. <node TEXT="overall operational security analysis" ID="ID_447433949" CREATED="1285765795719" MODIFIED="1285847240484" COLOR="#990000">
312. <font SIZE="14"/>
313. </node>
314. <node TEXT="local workflow for documentation and building a knowledge base" ID="ID_420879552" CREATED="1285765903953" MODIFIED="1285847288468" COLOR="#990000">
315. <font SIZE="14"/>
316. </node>
317. <node TEXT="mark alerts as false positive / successfull attack / failed attack / unknown" ID="ID_690970854" CREATED="1285765961140" MODIFIED="1285847328250" COLOR="#990000">
318. <font SIZE="14"/>
319. </node>
320. </node>
321. <node TEXT="reports" ID="ID_1577682529" CREATED="1285766062717" MODIFIED="1285847391265" COLOR="#00b439">
322. <font SIZE="16"/>
323. <edge STYLE="bezier" WIDTH="thin"/>
324. <node TEXT="custom database queries" ID="ID_564266950" CREATED="1285766066499" MODIFIED="1285847339531" COLOR="#990000">
325. <font SIZE="14"/>
326. </node>
327. <node TEXT="PDF, XLS, CSV, HTML ..." ID="ID_1111695350" CREATED="1285766081670" MODIFIED="1285766095811" COLOR="#990000">
328. <font SIZE="14"/>
329. </node>
330. <node TEXT="management summary / statistics" ID="ID_1529820565" CREATED="1285766096889" MODIFIED="1285847349515" COLOR="#990000">
331. <font SIZE="14"/>
332. </node>
333. <node TEXT="detailed technical reports including addresses, payload data etc." ID="ID_1927652136" CREATED="1285847354390" MODIFIED="1285847385484" COLOR="#990000">
334. <font SIZE="14"/>
335. </node>
336. </node>
337. <node TEXT="views" ID="ID_1775099130" CREATED="1285847064906" MODIFIED="1285847069625" COLOR="#00b439">
338. <font SIZE="16"/>
339. <edge STYLE="bezier" WIDTH="thin"/>
340. <node TEXT="customizable view" ID="ID_181964458" CREATED="1285766002499" MODIFIED="1285846725171" COLOR="#990000">
341. <font SIZE="14"/>
342. </node>
343. <node TEXT="table views with sortable collums" ID="ID_1632679902" CREATED="1285766013983" MODIFIED="1285846751578" COLOR="#990000">
344. <font SIZE="14"/>
345. </node>
346. <node TEXT="custom filters (src/dst, time-window, alert-type, criticality etc.)" ID="ID_852118950" CREATED="1285766032921" MODIFIED="1285846780968" COLOR="#990000">
347. <font SIZE="14"/>
348. </node>
349. <node TEXT="drill down views" ID="ID_1643594910" CREATED="1285847100109" MODIFIED="1285847147890" COLOR="#990000">
350. <font SIZE="14"/>
351. </node>
352. </node>
353. </node>
354. <node TEXT="alerting" POSITION="right" ID="ID_38989086" CREATED="1285765307300" MODIFIED="1286017488696" COLOR="#0033ff">
355. <font SIZE="18"/>
356. <edge STYLE="sharp_bezier" WIDTH="8"/>
357. <node TEXT="email, pager, sms" ID="ID_390065941" CREATED="1285765427956" MODIFIED="1286017499789" COLOR="#00b439">
358. <font SIZE="16"/>
359. <edge STYLE="bezier" WIDTH="thin"/>
360. </node>
361. <node TEXT="SNMP trap" ID="ID_1763953971" CREATED="1285765435690" MODIFIED="1286017504109" COLOR="#00b439">
362. <font SIZE="16"/>
363. <edge STYLE="bezier" WIDTH="thin"/>
364. </node>
365. <node TEXT="syslog" ID="ID_1064674141" CREATED="1285765440831" MODIFIED="1286017507631" COLOR="#00b439">
366. <font SIZE="16"/>
367. <edge STYLE="bezier" WIDTH="thin"/>
368. </node>
369. <node TEXT="ticketing-system (e.g. Remedy)" ID="ID_892651569" CREATED="1285765445003" MODIFIED="1286017520029" COLOR="#00b439">
370. <font SIZE="16"/>
371. <edge STYLE="bezier" WIDTH="thin"/>
372. </node>
373. <node TEXT="IDMEF message (XML/SOAP)" ID="ID_661247364" CREATED="1285765454878" MODIFIED="1286054333516" COLOR="#00b439" LINK="http://www.ietf.org/rfc/rfc4765.txt">
374. <font SIZE="16"/>
375. <edge STYLE="bezier" WIDTH="thin"/>
376. </node>
377. <node TEXT="products" ID="ID_1692892505" CREATED="1285766835181" MODIFIED="1286212049286" COLOR="#00b439">
378. <font SIZE="16"/>
379. <edge STYLE="bezier" WIDTH="thin"/>
380. <node TEXT="OpenSource IDS" ID="ID_1804883827" CREATED="1285766838119" MODIFIED="1286212049286" COLOR="#990000">
381. <font SIZE="14"/>
382. <edge STYLE="bezier" WIDTH="thin"/>
383. <node TEXT="Open Snort" ID="ID_1008423496" CREATED="1286212247175" MODIFIED="1286212284077" COLOR="#111111" LINK="http://www.snort.org">
384. <font SIZE="12"/>
385. </node>
386. <node TEXT="SecurityOnion (Snort)" ID="ID_1694498136" CREATED="1285766842275" MODIFIED="1286212049287" COLOR="#111111" LINK="http://securityonion.blogspot.com">
387. <font SIZE="12"/>
388. </node>
389. <node TEXT="Snorby" ID="ID_1449365793" CREATED="1285766883400" MODIFIED="1286212049288" COLOR="#111111" LINK="http://snorby.org">
390. <font SIZE="12"/>
391. </node>
392. <node TEXT="Suricata" ID="ID_326313873" CREATED="1285766914071" MODIFIED="1286212049300" COLOR="#111111" LINK="http://www.opensecfoundation.org">
393. <font SIZE="12"/>
394. </node>
395. <node TEXT="Bro-IDS" ID="ID_187442097" CREATED="1285766981399" MODIFIED="1286212049301" COLOR="#111111" LINK="www.bro-ids.org">
396. <font SIZE="12"/>
397. </node>
398. <node TEXT="Prelude-IDS" ID="ID_681276674" CREATED="1285767035914" MODIFIED="1286212049301" COLOR="#111111" LINK="www.prelude-technologies.com">
399. <font SIZE="12"/>
400. </node>
401. <node TEXT="Emergingthreats Snort-Signaturen" ID="ID_864855297" CREATED="1285767071867" MODIFIED="1286212049302" COLOR="#111111" LINK="www.emergingthreats.net">
402. <font SIZE="12"/>
403. </node>
404. <node TEXT="OSSEC Host IDS" ID="ID_1725528736" CREATED="1286055417743" MODIFIED="1286212049303" COLOR="#111111" LINK="http://www.ossec.net/">
405. <font SIZE="12"/>
406. </node>
407. <node TEXT="Samhain Host IDS" ID="ID_1345426005" CREATED="1286055433204" MODIFIED="1286212049303" COLOR="#111111" LINK="http://www.la-samhna.de/samhain/">
408. <font SIZE="12"/>
409. </node>
410. <node TEXT="AppArmor (a mandatory access control system which could count as some sort of host intrusion prevention, as well)" ID="ID_1993954015" CREATED="1286055438851" MODIFIED="1286212049304" COLOR="#111111" LINK="https://wiki.ubuntu.com/AppArmor">
411. <font SIZE="12"/>
412. </node>
413. <node TEXT="Tripwire File Integrity Checker (Host IDS)" ID="ID_1914129145" CREATED="1286055489798" MODIFIED="1286212049305" COLOR="#111111" LINK="http://sourceforge.net/projects/tripwire/">
414. <font SIZE="12"/>
415. </node>
416. </node>
417. <node TEXT="Commercial IDS/IPS" ID="ID_1394054886" CREATED="1286054341962" MODIFIED="1286212049305" COLOR="#990000">
418. <font SIZE="14"/>
419. <edge STYLE="bezier" WIDTH="thin"/>
420. <node TEXT="McAfee" ID="ID_1014919721" CREATED="1286054372424" MODIFIED="1286212049306" COLOR="#111111">
421. <font SIZE="12"/>
422. <node TEXT="Intrushield network IDS/IPS (formerly product of Intruvert)" ID="ID_1039243382" CREATED="1286054461286" MODIFIED="1286054983504" COLOR="#111111" LINK="http://www.mcafee.com/de/enterprise/products/network_intrusion_prevention/index.html">
423. <font SIZE="12"/>
424. </node>
425. <node TEXT="Entercept Host IDS" ID="ID_1895125385" CREATED="1286054638306" MODIFIED="1286055106086" COLOR="#111111" LINK="http://www.mcafee.com/us/local_content/white_papers/wp_host_nip.pdf">
426. <font SIZE="12"/>
427. </node>
428. </node>
429. <node TEXT="Hewlett Packard" ID="ID_1835247452" CREATED="1286054380152" MODIFIED="1286212049306" COLOR="#111111">
430. <font SIZE="12"/>
431. <node TEXT="TippingPoint" ID="ID_566468300" CREATED="1286054918100" MODIFIED="1286054964113" COLOR="#111111" LINK="http://h10163.www1.hp.com/products_ips.html">
432. <font SIZE="12"/>
433. </node>
434. </node>
435. <node TEXT="IBM (formerly ISS)" ID="ID_943748802" CREATED="1286054387248" MODIFIED="1286212049307" COLOR="#111111" LINK="http://www-01.ibm.com/software/tivoli/products/security-network-intrusion-prevention/">
436. <font SIZE="12"/>
437. <node TEXT="IBM Intrusion Detection System (formerly ISS Proventia)" ID="ID_1315602311" CREATED="1286054438782" MODIFIED="1286054515700" COLOR="#111111">
438. <font SIZE="12"/>
439. </node>
440. <node TEXT="SiteProtector (management console)" ID="ID_1362236577" CREATED="1286054518044" MODIFIED="1286054527519" COLOR="#111111">
441. <font SIZE="12"/>
442. </node>
443. <node TEXT="Server Sensor Host IDS" ID="ID_30912152" CREATED="1286054664865" MODIFIED="1286054691242" COLOR="#111111">
444. <font SIZE="12"/>
445. </node>
446. <node TEXT="ISS Proventia Desktop (desktop IPS)" ID="ID_362995387" CREATED="1286054691769" MODIFIED="1286054706368" COLOR="#111111">
447. <font SIZE="12"/>
448. </node>
449. </node>
450. <node TEXT="Sourcefire" ID="ID_1355294988" CREATED="1286054410807" MODIFIED="1286212049308" COLOR="#111111" LINK="http://www.sourcefire.com/">
451. <font SIZE="12"/>
452. <node TEXT="3D Sensor" ID="ID_246198831" CREATED="1286054531124" MODIFIED="1286054537763" COLOR="#111111">
453. <font SIZE="12"/>
454. <node TEXT="Snort IDS/IPS" ID="ID_1062855414" CREATED="1286054538555" MODIFIED="1286054544066" COLOR="#111111">
455. <font SIZE="12"/>
456. </node>
457. <node TEXT="Realtime Network Awareness (RNA)" ID="ID_159680279" CREATED="1286054544518" MODIFIED="1286054558013" COLOR="#111111">
458. <font SIZE="12"/>
459. </node>
460. </node>
461. <node TEXT="Razorback (near Realtime malware detection)" ID="ID_94293576" CREATED="1286054561060" MODIFIED="1286054578632" COLOR="#111111">
462. <font SIZE="12"/>
463. </node>
464. </node>
465. <node TEXT="Cisco IPS" ID="ID_1776240815" CREATED="1286054582971" MODIFIED="1286212049309" COLOR="#111111" LINK="http://www.cisco.com/en/US/products/ps6825/index.html">
466. <font SIZE="12"/>
467. </node>
468. <node TEXT="Enterasys" ID="ID_858282761" CREATED="1286054712369" MODIFIED="1286212049310" COLOR="#111111">
469. <font SIZE="12"/>
470. <node TEXT="Dragon IDS" ID="ID_1191286503" CREATED="1286054718264" MODIFIED="1286055341558" COLOR="#111111" LINK="http://www.enterasys.com/products/advanced-security-apps/dragon-intrusion-detection-protection.aspx">
471. <font SIZE="12"/>
472. </node>
473. </node>
474. <node TEXT="etc..." ID="ID_658039105" CREATED="1286054731113" MODIFIED="1286212049310" COLOR="#111111">
475. <font SIZE="12"/>
476. </node>
477. </node>
478. <node TEXT="Security Information and Event Management (SIEM)" ID="ID_1973872791" CREATED="1286054349633" MODIFIED="1286212049311" COLOR="#990000">
479. <font SIZE="14"/>
480. <edge STYLE="bezier" WIDTH="thin"/>
481. <node TEXT="Arcsight" ID="ID_1476729345" CREATED="1286054740209" MODIFIED="1286212049312" COLOR="#111111" LINK="http://www.arcsight.com/">
482. <font SIZE="12"/>
483. </node>
484. <node TEXT="OSSIM (OpenSource)" ID="ID_1695833884" CREATED="1286054749432" MODIFIED="1286212049312" COLOR="#111111" LINK="http://www.alienvault.com/community.php?section=Home">
485. <font SIZE="12"/>
486. </node>
487. <node TEXT="Q1Labs" ID="ID_379042774" CREATED="1286054793991" MODIFIED="1286212049313" COLOR="#111111" LINK="http://q1labs.com/">
488. <font SIZE="12"/>
489. <node TEXT="QRadar" ID="ID_644802861" CREATED="1286054832983" MODIFIED="1286054836706" COLOR="#111111">
490. <font SIZE="12"/>
491. </node>
492. </node>
493. </node>
494. </node>
495. </node>
496. <node TEXT="active response" POSITION="left" ID="ID_577958909" CREATED="1285765317160" MODIFIED="1286053826015" COLOR="#0033ff">
497. <font SIZE="18"/>
498. <edge STYLE="sharp_bezier" WIDTH="8"/>
499. <node TEXT="change router config (NULL-route, blackhole-route, filter)" ID="ID_1105223548" CREATED="1285765324753" MODIFIED="1285847430015" COLOR="#00b439">
500. <font SIZE="16"/>
501. <edge STYLE="bezier" WIDTH="thin"/>
502. </node>
503. <node TEXT="TCP-Reset / ICMP Unreachable" ID="ID_652332340" CREATED="1285765344956" MODIFIED="1285765353988" COLOR="#00b439">
504. <font SIZE="16"/>
505. <edge STYLE="bezier" WIDTH="thin"/>
506. </node>
507. <node TEXT="reconfigure firewall" ID="ID_362123263" CREATED="1285765358659" MODIFIED="1285847441046" COLOR="#00b439">
508. <font SIZE="16"/>
509. <edge STYLE="bezier" WIDTH="thin"/>
510. </node>
511. <node TEXT="deactivate switchport / quarantine port  (with NAC)" ID="ID_411114688" CREATED="1285765366878" MODIFIED="1285847464750" COLOR="#00b439">
512. <font SIZE="16"/>
513. <edge STYLE="bezier" WIDTH="thin"/>
514. </node>
515. <node TEXT="suspend user accounts (AD, RADIUS, LDAP)" ID="ID_642041759" CREATED="1285765391534" MODIFIED="1285847474203" COLOR="#00b439">
516. <font SIZE="16"/>
517. <edge STYLE="bezier" WIDTH="thin"/>
518. </node>
519. <node TEXT="DROP (Inline IPS blocking mode)" ID="ID_1378527178" CREATED="1285765414425" MODIFIED="1285765424221" COLOR="#00b439">
520. <font SIZE="16"/>
521. <edge STYLE="bezier" WIDTH="thin"/>
522. </node>
523. </node>
524. <node TEXT="asset-database" POSITION="left" ID="ID_249580512" CREATED="1285766287810" MODIFIED="1285848130562" COLOR="#0033ff">
525. <font SIZE="18"/>
526. <edge STYLE="sharp_bezier" WIDTH="8"/>
527. <node TEXT="passive realtime data aquisition (sniffing)" ID="ID_1819169174" CREATED="1285766312591" MODIFIED="1285846114375" COLOR="#00b439">
528. <font SIZE="16"/>
529. <edge STYLE="bezier" WIDTH="thin"/>
530. <node TEXT="Sourcefire RNA" ID="ID_868341550" CREATED="1285766336388" MODIFIED="1285766341044" COLOR="#990000">
531. <font SIZE="14"/>
532. </node>
533. <node TEXT="Tenable PVS" ID="ID_1166751638" CREATED="1285766342294" MODIFIED="1285766351309" COLOR="#990000">
534. <font SIZE="14"/>
535. </node>
536. <node TEXT="no adverse impact on productive systems" ID="ID_802175340" CREATED="1285766436027" MODIFIED="1285846218656" COLOR="#990000">
537. <font SIZE="14"/>
538. </node>
539. <node TEXT="stealth" ID="ID_969593551" CREATED="1285766557370" MODIFIED="1285846225359" COLOR="#990000">
540. <font SIZE="14"/>
541. </node>
542. <node TEXT="detect changes in realtime" ID="ID_1308815029" CREATED="1285766562058" MODIFIED="1285846234093" COLOR="#990000">
543. <font SIZE="14"/>
544. </node>
545. <node TEXT="limited detail / passive fingerprinting inaccurate" ID="ID_912117098" CREATED="1285766577948" MODIFIED="1285846281843" COLOR="#990000">
546. <font SIZE="14"/>
547. </node>
548. </node>
549. <node TEXT="edit manually" ID="ID_1909352295" CREATED="1285766357325" MODIFIED="1285846289906" COLOR="#00b439">
550. <font SIZE="16"/>
551. <edge STYLE="bezier" WIDTH="thin"/>
552. </node>
553. <node TEXT="import from CMDB" ID="ID_1734077183" CREATED="1285766363278" MODIFIED="1285846297546" COLOR="#00b439">
554. <font SIZE="16"/>
555. <edge STYLE="bezier" WIDTH="thin"/>
556. </node>
557. <node TEXT="active scanning" ID="ID_407454782" CREATED="1285766379497" MODIFIED="1285846308437" COLOR="#00b439">
558. <font SIZE="16"/>
559. <edge STYLE="bezier" WIDTH="thin"/>
560. <node TEXT="Nessus" ID="ID_521283285" CREATED="1285766386512" MODIFIED="1285766389747" COLOR="#990000">
561. <font SIZE="14"/>
562. </node>
563. <node TEXT="Qualys" ID="ID_452276020" CREATED="1285766390575" MODIFIED="1285766395481" COLOR="#990000">
564. <font SIZE="14"/>
565. </node>
566. <node TEXT="Foundstone" ID="ID_1425956879" CREATED="1285766396278" MODIFIED="1285766421887" COLOR="#990000">
567. <font SIZE="14"/>
568. </node>
569. <node TEXT="IBM ISS Enterprise Scanner" ID="ID_1835220690" CREATED="1285766422809" MODIFIED="1285766430418" COLOR="#990000">
570. <font SIZE="14"/>
571. </node>
572. <node TEXT="noisy" ID="ID_664889825" CREATED="1285766431512" MODIFIED="1285846315968" COLOR="#990000">
573. <font SIZE="14"/>
574. </node>
575. <node TEXT="network load / can cause discruptions or performance degradation of networks and hosts" ID="ID_771325508" CREATED="1285766606136" MODIFIED="1285846348531" COLOR="#990000">
576. <font SIZE="14"/>
577. </node>
578. <node TEXT="detailed information" ID="ID_390207393" CREATED="1285766616151" MODIFIED="1285846360218" COLOR="#990000">
579. <font SIZE="14"/>
580. </node>
581. <node TEXT="changes in between periodic scans are not detected in realtime" ID="ID_1567792998" CREATED="1285766627386" MODIFIED="1285846395140" COLOR="#990000">
582. <font SIZE="14"/>
583. </node>
584. </node>
585. </node>
586. <node TEXT="privacy concerns" POSITION="left" ID="ID_571152968" CREATED="1285766669495" MODIFIED="1285847503328" COLOR="#0033ff">
587. <font SIZE="18"/>
588. <edge STYLE="sharp_bezier" WIDTH="8"/>
589. <node TEXT="IDS records personal identifiable information including payload" ID="ID_1250280863" CREATED="1285766675917" MODIFIED="1285847564468" COLOR="#00b439">
590. <font SIZE="16"/>
591. <edge STYLE="bezier" WIDTH="thin"/>
592. </node>
593. <node TEXT="conflicting goals" ID="ID_492093578" CREATED="1285766694182" MODIFIED="1285847606593" COLOR="#00b439">
594. <font SIZE="16"/>
595. <edge STYLE="bezier" WIDTH="thin"/>
596. <node TEXT="record evidence" ID="ID_1118715915" CREATED="1285766702198" MODIFIED="1285847615250" COLOR="#990000">
597. <font SIZE="14"/>
598. </node>
599. <node TEXT="Privacy" ID="ID_382039802" CREATED="1285766707416" MODIFIED="1285847618015" COLOR="#990000">
600. <font SIZE="14"/>
601. </node>
602. </node>
603. <node TEXT="solutions" ID="ID_932377827" CREATED="1285766719354" MODIFIED="1285847627937" COLOR="#00b439">
604. <font SIZE="16"/>
605. <edge STYLE="bezier" WIDTH="thin"/>
606. <node TEXT="mandatory access control  / need to know basis" ID="ID_669244933" CREATED="1285766726026" MODIFIED="1285847650203" COLOR="#990000">
607. <font SIZE="14"/>
608. </node>
609. <node TEXT="encryption" ID="ID_468866043" CREATED="1285766733088" MODIFIED="1285847656609" COLOR="#990000">
610. <font SIZE="14"/>
611. </node>
612. <node TEXT="key-escrow / four-eyes principle for archived data" ID="ID_584912146" CREATED="1285766738776" MODIFIED="1285847689015" COLOR="#990000">
613. <font SIZE="14"/>
614. </node>
615. <node TEXT="anonymize and erase payload data after x days/months" ID="ID_998604707" CREATED="1285766749416" MODIFIED="1285848033390" COLOR="#990000">
616. <font SIZE="14"/>
617. </node>
618. <node TEXT="archive full data permanently only in case of data breach (timestamped, double hashed, signed)" ID="ID_950714123" CREATED="1285766768541" MODIFIED="1285848109906" COLOR="#990000">
619. <font SIZE="14"/>
620. </node>
621. </node>
622. <node TEXT="adhere to local and international law and regulations" ID="ID_421164563" CREATED="1285847506843" MODIFIED="1285847533187" COLOR="#00b439">
623. <font SIZE="16"/>
624. <edge STYLE="bezier" WIDTH="thin"/>
625. </node>
626. </node>
627. <node TEXT="incident handling &amp; response" POSITION="left" ID="ID_868021355" CREATED="1285767159382" MODIFIED="1285848154640" COLOR="#0033ff">
628. <font SIZE="18"/>
629. <edge STYLE="sharp_bezier" WIDTH="8"/>
630. <node TEXT="incident response plan" ID="ID_1055286553" CREATED="1285767167007" MODIFIED="1286054221819" COLOR="#00b439">
631. <font SIZE="16"/>
632. <edge STYLE="bezier" WIDTH="thin"/>
633. <node TEXT="triage" ID="ID_1935079040" CREATED="1285767178820" MODIFIED="1286054226742" COLOR="#990000">
634. <font SIZE="14"/>
635. </node>
636. <node TEXT="incident analysis / forensics / conservation of evidence" ID="ID_313001818" CREATED="1285767260538" MODIFIED="1286054239893" COLOR="#990000">
637. <font SIZE="14"/>
638. <node TEXT="Tools" ID="ID_1114230086" CREATED="1285767373896" MODIFIED="1285767376396" COLOR="#111111">
639. <font SIZE="12"/>
640. <node TEXT="Sleuthkit/Autopsy" ID="ID_693623845" CREATED="1285767376396" MODIFIED="1285767445474" COLOR="#111111" LINK="www.sleuthkit.org">
641. <font SIZE="12"/>
642. </node>
643. <node TEXT="Encase" ID="ID_4426128" CREATED="1285767387912" MODIFIED="1285767408974" COLOR="#111111" LINK="www.guidancesoftware.com/forensic.htm">
644. <font SIZE="12"/>
645. </node>
646. </node>
647. </node>
648. <node TEXT="restore / protect / report" ID="ID_1194960895" CREATED="1285767286788" MODIFIED="1286054248704" COLOR="#990000">
649. <font SIZE="14"/>
650. </node>
651. <node TEXT="re-evaluate current operational security controls" ID="ID_437617673" CREATED="1285767297584" MODIFIED="1286054262880" COLOR="#990000">
652. <font SIZE="14"/>
653. </node>
654. </node>
655. <node TEXT="resources" ID="ID_1236516325" CREATED="1285767195038" MODIFIED="1286054268881" COLOR="#00b439">
656. <font SIZE="16"/>
657. <edge STYLE="bezier" WIDTH="thin"/>
658. <node TEXT="ENISA" ID="ID_392085968" CREATED="1285767200382" MODIFIED="1285767223694" COLOR="#990000" LINK="www.enisa.europa.eu">
659. <font SIZE="14"/>
660. </node>
661. <node TEXT="CERT/CC" ID="ID_885081752" CREATED="1285767207632" MODIFIED="1285767241616" COLOR="#990000" LINK="www.cert.org">
662. <font SIZE="14"/>
663. </node>
664. </node>
665. <node TEXT="tools" ID="ID_1077358277" CREATED="1285767470849" MODIFIED="1286054275872" COLOR="#00b439">
666. <font SIZE="16"/>
667. <edge STYLE="bezier" WIDTH="thin"/>
668. <node TEXT="SIRIOS" ID="ID_818343820" CREATED="1285767479865" MODIFIED="1285767491880" COLOR="#990000" LINK="http://sirios.org">
669. <font SIZE="14"/>
670. </node>
671. <node TEXT="RTIR" ID="ID_248519109" CREATED="1285767494099" MODIFIED="1285767515802" COLOR="#990000" LINK="http://bestpractical.com/rtir">
672. <font SIZE="14"/>
673. </node>
674. <node TEXT="AIRT" ID="ID_930972693" CREATED="1285767517849" MODIFIED="1285767537302" COLOR="#990000" LINK="http://airt.leune.com">
675. <font SIZE="14"/>
676. </node>
677. </node>
678. </node>
679. <node TEXT="training" POSITION="right" ID="ID_610164131" CREATED="1285767561489" MODIFIED="1285848184093" COLOR="#0033ff">
680. <font SIZE="18"/>
681. <edge STYLE="sharp_bezier" WIDTH="8"/>
682. <node TEXT="Forensic Challenges" ID="ID_1352866525" CREATED="1285767565395" MODIFIED="1285767587458" COLOR="#00b439" LINK="www.honeynet.org/challenges">
683. <font SIZE="16"/>
684. <edge STYLE="bezier" WIDTH="thin"/>
685. </node>
686. <node TEXT="Red Teaming / Blue Teaming" ID="ID_1506056060" CREATED="1285767589504" MODIFIED="1285767597567" COLOR="#00b439">
687. <font SIZE="16"/>
688. <edge STYLE="bezier" WIDTH="thin"/>
689. </node>
690. <node TEXT="Capture the Flag contests" ID="ID_1114145690" CREATED="1285767598473" MODIFIED="1285767613614" COLOR="#00b439">
691. <font SIZE="16"/>
692. <edge STYLE="bezier" WIDTH="thin"/>
693. </node>
694. <node TEXT="Run hackertools / exploits against test-systems and monitor network traffic with your IDS" ID="ID_429981636" CREATED="1285767614348" MODIFIED="1285767668363" COLOR="#00b439">
695. <font SIZE="16"/>
696. <edge STYLE="bezier" WIDTH="thin"/>
697. </node>
698. <node TEXT="external Training" ID="ID_756571116" CREATED="1285767669488" MODIFIED="1285767676879" COLOR="#00b439">
699. <font SIZE="16"/>
700. <edge STYLE="bezier" WIDTH="thin"/>
701. <node TEXT="SANS Courses" ID="ID_95277440" CREATED="1285767676879" MODIFIED="1285767703332" COLOR="#990000" LINK="www.sans.org/security-training/courses.php">
702. <font SIZE="14"/>
703. </node>
704. <node TEXT="Offensive Security Courses" ID="ID_307889159" CREATED="1285767705207" MODIFIED="1285767726129" COLOR="#990000" LINK="www.offensive-security.com">
705. <font SIZE="14"/>
706. </node>
707. <node TEXT="other" ID="ID_1972542445" CREATED="1285767728144" MODIFIED="1285767729863" COLOR="#990000">
708. <font SIZE="14"/>
709. </node>
710. </node>
711. <node TEXT="practice your Incident Response Plan and Restore Procedures regularly" ID="ID_1848176705" CREATED="1285767735316" MODIFIED="1285767779613" COLOR="#00b439">
712. <font SIZE="16"/>
713. <edge STYLE="bezier" WIDTH="thin"/>
714. </node>
715. <node TEXT="analyze IDS events and dig deep" ID="ID_691504130" CREATED="1285767788050" MODIFIED="1285767811487" COLOR="#00b439">
716. <font SIZE="16"/>
717. <edge STYLE="bezier" WIDTH="thin"/>
718. </node>
719. <node TEXT="Tools / Distros" ID="ID_1239264797" CREATED="1285767831550" MODIFIED="1285767837628" COLOR="#00b439">
720. <font SIZE="16"/>
721. <edge STYLE="bezier" WIDTH="thin"/>
722. <node TEXT="Backtrack-Linux" ID="ID_1098390219" CREATED="1285767837628" MODIFIED="1285767842831" COLOR="#990000">
723. <font SIZE="14"/>
724. </node>
725. <node TEXT="Metasploit" ID="ID_473549972" CREATED="1285767843565" MODIFIED="1285767847643" COLOR="#990000">
726. <font SIZE="14"/>
727. </node>
728. <node TEXT="SET" ID="ID_1560982917" CREATED="1285767848222" MODIFIED="1285767851987" COLOR="#990000">
729. <font SIZE="14"/>
730. </node>
731. <node TEXT="WebGoat" ID="ID_1072874347" CREATED="1285767852597" MODIFIED="1285767858675" COLOR="#990000">
732. <font SIZE="14"/>
733. </node>
734. <node TEXT="DVL" ID="ID_313720748" CREATED="1285767859347" MODIFIED="1285767864690" COLOR="#990000">
735. <font SIZE="14"/>
736. </node>
737. <node TEXT="DVWA" ID="ID_1127887388" CREATED="1285767865300" MODIFIED="1285767871956" COLOR="#990000">
738. <font SIZE="14"/>
739. </node>
740. <node TEXT="De-ICE Pentest Live-CDs" ID="ID_767692558" CREATED="1285767872737" MODIFIED="1285767894596" COLOR="#990000">
741. <font SIZE="14"/>
742. </node>
743. </node>
744. <node TEXT="Resources" ID="ID_1191898242" CREATED="1285767899346" MODIFIED="1285767902674" COLOR="#00b439">
745. <font SIZE="16"/>
746. <edge STYLE="bezier" WIDTH="thin"/>
747. <node TEXT="www.securitytube.net" ID="ID_1428528976" CREATED="1285767902674" MODIFIED="1285767909518" COLOR="#990000">
748. <font SIZE="14"/>
749. </node>
750. <node TEXT="Twitter" ID="ID_1311224315" CREATED="1285767910315" MODIFIED="1285767916502" COLOR="#990000">
751. <font SIZE="14"/>
752. </node>
753. <node TEXT="owasp.org" ID="ID_1072204875" CREATED="1285767917393" MODIFIED="1285767924627" COLOR="#990000">
754. <font SIZE="14"/>
755. </node>
756. </node>
757. </node>
758. <node TEXT="ids resources on the web" POSITION="left" ID="ID_772916081" CREATED="1285767929612" MODIFIED="1285848166578" COLOR="#0033ff">
759. <font SIZE="18"/>
760. <edge STYLE="sharp_bezier" WIDTH="8"/>
761. <node TEXT="Securitywizardry.com" ID="ID_1984606682" CREATED="1285767944158" MODIFIED="1286210420387" COLOR="#00b439" LINK="http://networkintrusion.co.uk/index.php/products/ids-and-ips.html">
762. <font SIZE="16"/>
763. <edge STYLE="bezier" WIDTH="thin"/>
764. </node>
765. <node TEXT="NSSLabs" ID="ID_1293967484" CREATED="1286210861041" MODIFIED="1286210870851" COLOR="#00b439" LINK="http://nsslabs.com/ips">
766. <font SIZE="16"/>
767. <edge STYLE="bezier" WIDTH="thin"/>
768. </node>
769. </node>
770. <node TEXT="ism context" POSITION="right" ID="ID_734031865" CREATED="1285782463528" MODIFIED="1285848214046" COLOR="#0033ff">
771. <font SIZE="18"/>
772. <edge STYLE="sharp_bezier" WIDTH="8"/>
773. <node TEXT="ISO 2700x vs BSI Grundschutz" ID="ID_427400104" CREATED="1285782529513" MODIFIED="1285782846586" COLOR="#00b439">
774. <font SIZE="16"/>
775. <edge STYLE="bezier" WIDTH="thin"/>
776. <node TEXT="ISO: Communications and Operations Management Section 10.6.1" ID="ID_753016884" CREATED="1285782856056" MODIFIED="1285782889498" COLOR="#990000">
777. <font SIZE="14"/>
778. </node>
779. <node TEXT="BSI: M 5.71 Intrusion Detection and Response Systems" ID="ID_1542173547" CREATED="1285782890024" MODIFIED="1285783119167" COLOR="#990000">
780. <font SIZE="14"/>
781. </node>
782. </node>
783. <node TEXT="OSSTMM" ID="ID_1652307562" CREATED="1285782555672" MODIFIED="1285782611287" COLOR="#00b439">
784. <font SIZE="16"/>
785. <edge STYLE="bezier" WIDTH="thin"/>
786. <node TEXT="Class A Controls (Interactive)" ID="ID_479194899" CREATED="1285782615254" MODIFIED="1285782641232" COLOR="#990000">
787. <font SIZE="14"/>
788. <node TEXT="Authentication" ID="ID_561754259" CREATED="1285782712523" MODIFIED="1285782716998" COLOR="#111111">
789. <font SIZE="12"/>
790. </node>
791. <node TEXT="Indemnification" ID="ID_1875224039" CREATED="1285782717395" MODIFIED="1285782722143" COLOR="#111111">
792. <font SIZE="12"/>
793. </node>
794. <node TEXT="Resistance" ID="ID_1786124053" CREATED="1285782727166" MODIFIED="1285782730753" COLOR="#111111">
795. <font SIZE="12"/>
796. </node>
797. <node TEXT="Subjugation" ID="ID_1337205299" CREATED="1285782732171" MODIFIED="1285782736063" COLOR="#111111">
798. <font SIZE="12"/>
799. </node>
800. <node TEXT="Continuity" ID="ID_1553717001" CREATED="1285782736427" MODIFIED="1285782747536" COLOR="#111111">
801. <font SIZE="12"/>
802. </node>
803. </node>
804. <node TEXT="Class B Controls (Process)" ID="ID_1972518417" CREATED="1285782626197" MODIFIED="1285782633525" COLOR="#990000">
805. <font SIZE="14"/>
806. <node TEXT="Non-repudiation" ID="ID_456994826" CREATED="1285782749018" MODIFIED="1285782754321" COLOR="#111111">
807. <font SIZE="12"/>
808. </node>
809. <node TEXT="Confidentiality" ID="ID_930465822" CREATED="1285782755162" MODIFIED="1285782758973" COLOR="#111111">
810. <font SIZE="12"/>
811. </node>
812. <node TEXT="Privacy" ID="ID_819933568" CREATED="1285782763490" MODIFIED="1285782767414" COLOR="#111111">
813. <font SIZE="12"/>
814. </node>
815. <node TEXT="Integrity" ID="ID_1423435348" CREATED="1285782768370" MODIFIED="1285782770921" COLOR="#111111">
816. <font SIZE="12"/>
817. </node>
818. <node TEXT="Alarm" ID="ID_469698143" CREATED="1285782771482" MODIFIED="1285845266859" COLOR="#111111">
819. <font SIZE="12" BOLD="true"/>
820. </node>
821. </node>
822. </node>
823. </node>
824. <node TEXT="detection methodologies and techniques" POSITION="right" ID="ID_1895556521" CREATED="1285782502291" MODIFIED="1286211121652" COLOR="#0033ff">
825. <font SIZE="18"/>
826. <edge STYLE="sharp_bezier" WIDTH="8"/>
827. <node TEXT="data sources" ID="ID_641884326" CREATED="1285783178951" MODIFIED="1286017448947" COLOR="#00b439">
828. <font SIZE="16"/>
829. <edge STYLE="bezier" WIDTH="thin"/>
830. <node TEXT="network based" ID="Freemind_Link_1014422572" CREATED="1285307735937" MODIFIED="1285784162585" COLOR="#990000">
831. <font SIZE="14"/>
832. <edge STYLE="bezier" WIDTH="thin"/>
833. <node TEXT="Hub" ID="Freemind_Link_1958174202" CREATED="1285307744359" MODIFIED="1285783197696" COLOR="#111111">
834. <font SIZE="12"/>
835. <node TEXT="outdated technology" ID="Freemind_Link_688393001" CREATED="1285307855109" MODIFIED="1285784203951" COLOR="#111111">
836. <font SIZE="12"/>
837. </node>
838. <node TEXT="cheap" ID="Freemind_Link_796964033" CREATED="1285307861359" MODIFIED="1285784207699" COLOR="#111111">
839. <font SIZE="12"/>
840. </node>
841. <node TEXT="easy" ID="Freemind_Link_491066202" CREATED="1285307865031" MODIFIED="1285784211830" COLOR="#111111">
842. <font SIZE="12"/>
843. </node>
844. <node TEXT="non full duplex" ID="Freemind_Link_1703340972" CREATED="1285307871250" MODIFIED="1285784220997" COLOR="#111111">
845. <font SIZE="12"/>
846. </node>
847. </node>
848. <node TEXT="switch mirror port" ID="Freemind_Link_1115328767" CREATED="1285307755656" MODIFIED="1285784235457" COLOR="#111111">
849. <font SIZE="12"/>
850. <node TEXT="easy" ID="Freemind_Link_1109065971" CREATED="1285307885437" MODIFIED="1285784238614" COLOR="#111111">
851. <font SIZE="12"/>
852. </node>
853. <node TEXT="cheap and ubiquitously available" ID="Freemind_Link_1638836603" CREATED="1285307906062" MODIFIED="1285784250437" COLOR="#111111">
854. <font SIZE="12"/>
855. </node>
856. <node TEXT="performance impact with some products" ID="Freemind_Link_953145509" CREATED="1285307919250" MODIFIED="1285784271595" COLOR="#111111">
857. <font SIZE="12"/>
858. </node>
859. <node TEXT="no full duplex monitoring if linkspeed monitor port = linkspeed mirrored port" ID="Freemind_Link_1519906770" CREATED="1285307937703" MODIFIED="1285784325636" COLOR="#111111">
860. <font SIZE="12"/>
861. </node>
862. </node>
863. <node TEXT="Network-Tap" ID="Freemind_Link_1346732349" CREATED="1285307765546" MODIFIED="1285783197698" COLOR="#111111">
864. <font SIZE="12"/>
865. <node TEXT="Read-Only (protection and stealthyness for the IDS)" ID="Freemind_Link_364848179" CREATED="1285307976828" MODIFIED="1285784354881" COLOR="#111111">
866. <font SIZE="12"/>
867. </node>
868. <node TEXT="full-duplex capable" ID="Freemind_Link_1444884878" CREATED="1285307990640" MODIFIED="1285784364876" COLOR="#111111">
869. <font SIZE="12"/>
870. </node>
871. <node TEXT="failsafe / failure does not impact productive link" ID="Freemind_Link_1524278556" CREATED="1285307999718" MODIFIED="1285784409361" COLOR="#111111">
872. <font SIZE="12"/>
873. </node>
874. <node TEXT="costs additional money" ID="Freemind_Link_986577999" CREATED="1285308009765" MODIFIED="1285784417343" COLOR="#111111">
875. <font SIZE="12"/>
876. </node>
877. <node TEXT="more cabling" ID="Freemind_Link_1288876479" CREATED="1285308024281" MODIFIED="1285784432938" COLOR="#111111">
878. <font SIZE="12"/>
879. </node>
880. </node>
881. <node TEXT="Netflow" ID="Freemind_Link_1173596812" CREATED="1285307772218" MODIFIED="1285783197699" COLOR="#111111">
882. <font SIZE="12"/>
883. <node TEXT="ubiquitously supported with many network devices" ID="Freemind_Link_1030308969" CREATED="1285308037312" MODIFIED="1285784449906" COLOR="#111111">
884. <font SIZE="12"/>
885. </node>
886. <node TEXT="provides for broad coverage at reasonable cost" ID="Freemind_Link_287838846" CREATED="1285308050250" MODIFIED="1285784500019" COLOR="#111111">
887. <font SIZE="12"/>
888. </node>
889. <node TEXT="heavily reduced information content" ID="Freemind_Link_1881923729" CREATED="1285308062609" MODIFIED="1285784550902" COLOR="#111111">
890. <font SIZE="12"/>
891. </node>
892. </node>
893. <node TEXT="Honeypot / Dark-IP Sensor" ID="Freemind_Link_264329782" CREATED="1285307781890" MODIFIED="1285783197700" COLOR="#111111">
894. <font SIZE="12"/>
895. <node TEXT="no False Positives if deployed appropriately" ID="Freemind_Link_202463756" CREATED="1285308073906" MODIFIED="1285784571759" COLOR="#111111">
896. <font SIZE="12"/>
897. </node>
898. <node TEXT="binds unused ip addresses" ID="Freemind_Link_888015790" CREATED="1285308081750" MODIFIED="1285784582345" COLOR="#111111">
899. <font SIZE="12"/>
900. </node>
901. <node TEXT="extra cost and management overhead" ID="Freemind_Link_1671223647" CREATED="1285308092875" MODIFIED="1285784593160" COLOR="#111111">
902. <font SIZE="12"/>
903. </node>
904. </node>
905. <node TEXT="Arpwatch Sensor" ID="Freemind_Link_166733825" CREATED="1285307795015" MODIFIED="1285783197701" COLOR="#111111">
906. <font SIZE="12"/>
907. <node TEXT="easy to deploy at virtually no cost" ID="Freemind_Link_330417101" CREATED="1285308107125" MODIFIED="1285784606731" COLOR="#111111">
908. <font SIZE="12"/>
909. </node>
910. </node>
911. </node>
912. <node TEXT="host based" ID="Freemind_Link_1351679463" CREATED="1285307804343" MODIFIED="1285784169430" COLOR="#990000">
913. <font SIZE="14"/>
914. <edge STYLE="bezier" WIDTH="thin"/>
915. <node TEXT="Logfiles" ID="Freemind_Link_970429520" CREATED="1285307808453" MODIFIED="1285783197706" COLOR="#111111">
916. <font SIZE="12"/>
917. <node TEXT="rich information source" ID="Freemind_Link_586372106" CREATED="1285308136484" MODIFIED="1285784785470" COLOR="#111111">
918. <font SIZE="12"/>
919. </node>
920. <node TEXT="ubiquitously available on all hosts" ID="Freemind_Link_799104741" CREATED="1285308144343" MODIFIED="1285784638635" COLOR="#111111">
921. <font SIZE="12"/>
922. </node>
923. <node TEXT="quite efficient for well-known log formats" ID="Freemind_Link_574458582" CREATED="1285308167625" MODIFIED="1285784660109" COLOR="#111111">
924. <font SIZE="12"/>
925. </node>
926. <node TEXT="takes substantial time and effort for custom log formats" ID="Freemind_Link_1022367908" CREATED="1285308180812" MODIFIED="1285784721269" COLOR="#111111">
927. <font SIZE="12"/>
928. </node>
929. <node TEXT="detection methods / signatures have to be updated with each update of the log format" ID="Freemind_Link_14801023" CREATED="1285308194140" MODIFIED="1285784753972" COLOR="#111111">
930. <font SIZE="12"/>
931. </node>
932. <node TEXT="with some products you don&apos;t even have a map of all possible log messages" ID="Freemind_Link_1049909300" CREATED="1285308212218" MODIFIED="1285784774595" COLOR="#111111">
933. <font SIZE="12"/>
934. </node>
935. <node TEXT="Example product: OSSEC" ID="ID_1720411336" CREATED="1286055709384" MODIFIED="1286055732628" COLOR="#111111">
936. <font SIZE="12"/>
937. </node>
938. </node>
939. <node TEXT="Filesystem" ID="Freemind_Link_982205412" CREATED="1285307823796" MODIFIED="1285784890178" COLOR="#111111">
940. <font SIZE="12"/>
941. <node TEXT="rich information source" ID="Freemind_Link_980279665" CREATED="1285308262328" MODIFIED="1285784781724" COLOR="#111111" HGAP="18" VSHIFT="3">
942. <font SIZE="12"/>
943. </node>
944. <node TEXT="ubiquitously available on all hosts with a file system" ID="ID_292692984" CREATED="1285764775991" MODIFIED="1285784805751" COLOR="#111111">
945. <font SIZE="12"/>
946. </node>
947. <node TEXT="filesystems undergo constant changes / hash databases have to be updated quite frequently" ID="ID_343045934" CREATED="1285764803694" MODIFIED="1285784852418" COLOR="#111111">
948. <font SIZE="12"/>
949. </node>
950. <node TEXT="best suited for hardened systems with high security demands and little changes" ID="ID_1782253079" CREATED="1285764829569" MODIFIED="1285784881639" COLOR="#111111">
951. <font SIZE="12"/>
952. </node>
953. <node TEXT="Example product: OSSEC, Tripwire" ID="ID_1856553439" CREATED="1286055734056" MODIFIED="1286055745458" COLOR="#111111">
954. <font SIZE="12"/>
955. </node>
956. </node>
957. <node TEXT="System Memory" ID="Freemind_Link_1106874480" CREATED="1285307832984" MODIFIED="1285784916800" COLOR="#111111">
958. <font SIZE="12"/>
959. <node TEXT="ultimative data source / could theoretically see everything that&apos;s going on under the hood" ID="Freemind_Link_978629008" CREATED="1285308280546" MODIFIED="1285784950189" COLOR="#111111">
960. <font SIZE="12"/>
961. </node>
962. <node TEXT="the place where exploits actually are happening" ID="Freemind_Link_1431452349" CREATED="1285308315265" MODIFIED="1285784974312" COLOR="#111111">
963. <font SIZE="12"/>
964. </node>
965. <node TEXT="needs only few generic signatures (behavioural patterns like hides process, spawns shell, overflows buffer etc.)" ID="Freemind_Link_44648659" CREATED="1285308333093" MODIFIED="1285785028498" COLOR="#111111">
966. <font SIZE="12"/>
967. </node>
968. <node TEXT="suited for preventative intrusion detection and prevention" ID="Freemind_Link_1719840562" CREATED="1285308353265" MODIFIED="1285785053980" COLOR="#111111">
969. <font SIZE="12"/>
970. </node>
971. <node TEXT="has to have system privs / kernel mode / works as a system driver (e.g. hooks system service descriptor table, APIs, memory mappings etc.)" ID="Freemind_Link_1885470815" CREATED="1285308376515" MODIFIED="1285785201328" COLOR="#111111">
972. <font SIZE="12"/>
973. </node>
974. <node TEXT="error in implementation could cause stability issues (crashes, kernel panics) or even security holes" ID="Freemind_Link_1168205072" CREATED="1285308453140" MODIFIED="1285785241846" COLOR="#111111">
975. <font SIZE="12"/>
976. </node>
977. <node TEXT="Example product: Entercept Host IPS" ID="ID_20741630" CREATED="1286055750944" MODIFIED="1286055773698" COLOR="#111111">
978. <font SIZE="12"/>
979. </node>
980. </node>
981. <node TEXT="local network stack" ID="ID_947224521" CREATED="1285785247832" MODIFIED="1285785265259" COLOR="#111111">
982. <font SIZE="12"/>
983. <node TEXT="same stuff as network based data sources here" ID="ID_8241442" CREATED="1286055774935" MODIFIED="1286055788155" COLOR="#111111">
984. <font SIZE="12"/>
985. </node>
986. <node TEXT="Example products: IBM ISS Proventia Server (Server Sensor); ISS Proventia Desktop" ID="ID_350149287" CREATED="1286055788728" MODIFIED="1286055818554" COLOR="#111111">
987. <font SIZE="12"/>
988. </node>
989. </node>
990. </node>
991. </node>
992. <node TEXT="detection methods" ID="ID_1951541515" CREATED="1285783183910" MODIFIED="1286017442635" COLOR="#00b439">
993. <font SIZE="16"/>
994. <edge STYLE="bezier" WIDTH="thin"/>
995. <node TEXT="prerequisites" ID="ID_303191664" CREATED="1285785363492" MODIFIED="1285785375436" COLOR="#990000">
996. <font SIZE="14"/>
997. <node TEXT="IP-defragmentation" ID="ID_1911467367" CREATED="1285785382787" MODIFIED="1285785411099" COLOR="#111111">
998. <font SIZE="12"/>
999. <node TEXT="handle overlapping fragments like the receiving endnode" ID="ID_485804224" CREATED="1285785543143" MODIFIED="1285785638008" COLOR="#111111">
1000. <font SIZE="12"/>
1001. </node>
1002. <node TEXT="IDS evasion/DoS tools: fragrouter/fragroute" ID="ID_1834453211" CREATED="1286056010792" MODIFIED="1286056022892" COLOR="#111111">
1003. <font SIZE="12"/>
1004. </node>
1005. </node>
1006. <node TEXT="tcp-reassembly" ID="ID_540121661" CREATED="1285785411595" MODIFIED="1285785416908" COLOR="#111111">
1007. <font SIZE="12"/>
1008. <node TEXT="handle overlapping payload chunks like the receiving endnode" ID="ID_368990292" CREATED="1285785560822" MODIFIED="1285785630933" COLOR="#111111">
1009. <font SIZE="12"/>
1010. </node>
1011. <node TEXT="handle out of band an out of window segments like the receiving endnod" ID="ID_529999600" CREATED="1285785604564" MODIFIED="1285785627063" COLOR="#111111">
1012. <font SIZE="12"/>
1013. </node>
1014. </node>
1015. <node TEXT="state tracking of all types of protocols" ID="ID_915503306" CREATED="1285785417413" MODIFIED="1285785439786" COLOR="#111111">
1016. <font SIZE="12"/>
1017. <node TEXT="tcp" ID="ID_913692613" CREATED="1285785441210" MODIFIED="1285785444411" COLOR="#111111">
1018. <font SIZE="12"/>
1019. <node TEXT="three way handshake" ID="ID_1370230911" CREATED="1285785652731" MODIFIED="1285785660511" COLOR="#111111">
1020. <font SIZE="12"/>
1021. </node>
1022. <node TEXT="sequence numbers / ack numbers" ID="ID_15335367" CREATED="1285785660820" MODIFIED="1285785676603" COLOR="#111111">
1023. <font SIZE="12"/>
1024. </node>
1025. </node>
1026. <node TEXT="udp" ID="ID_1114277601" CREATED="1285785444737" MODIFIED="1285785446679" COLOR="#111111">
1027. <font SIZE="12"/>
1028. </node>
1029. <node TEXT="icmp" ID="ID_1047919937" CREATED="1285785446945" MODIFIED="1285785450074" COLOR="#111111">
1030. <font SIZE="12"/>
1031. </node>
1032. <node TEXT="other" ID="ID_761546150" CREATED="1285785450769" MODIFIED="1285785454309" COLOR="#111111">
1033. <font SIZE="12"/>
1034. </node>
1035. <node TEXT="state tracking of at least some application protocols" ID="ID_1118268150" CREATED="1285785454545" MODIFIED="1285785483898" COLOR="#111111">
1036. <font SIZE="12"/>
1037. </node>
1038. <node TEXT="IDS evasion/DoS Tools; stick, snot" ID="ID_1175365117" CREATED="1286055969865" MODIFIED="1286056008103" COLOR="#111111">
1039. <font SIZE="12"/>
1040. </node>
1041. </node>
1042. <node TEXT="protocol, format and uri normalization/canonicalization" ID="ID_1304931743" CREATED="1285785486448" MODIFIED="1285785508297" COLOR="#111111">
1043. <font SIZE="12"/>
1044. <node TEXT="encodings" ID="ID_567955335" CREATED="1285785694850" MODIFIED="1285785709169" COLOR="#111111">
1045. <font SIZE="12"/>
1046. <node TEXT="base64" ID="ID_305426794" CREATED="1285785710241" MODIFIED="1285785717113" COLOR="#111111">
1047. <font SIZE="12"/>
1048. <node TEXT="Example: http://isc.sans.edu/diary.html?storyid=9397" ID="ID_1824056593" CREATED="1285785984611" MODIFIED="1285785992818" COLOR="#111111">
1049. <font SIZE="12"/>
1050. </node>
1051. </node>
1052. <node TEXT="urlencode" ID="ID_491020272" CREATED="1285785717706" MODIFIED="1285785721696" COLOR="#111111">
1053. <font SIZE="12"/>
1054. <node TEXT="Example: http://example.com/shop.php?id=cmd.exe same as&#xa;http%3A%2F%2Fexample.com%2Fshop.php%3Fid%3Dcmd.exe" ID="ID_1155555960" CREATED="1285785848678" MODIFIED="1285785875398" COLOR="#111111">
1055. <font SIZE="12"/>
1056. </node>
1057. </node>
1058. <node TEXT="unicode" ID="ID_1187137642" CREATED="1285785739633" MODIFIED="1285785756819" COLOR="#111111">
1059. <font SIZE="12"/>
1060. </node>
1061. </node>
1062. <node TEXT="normalize POSIX paths and URIs" ID="ID_597032872" CREATED="1285785757937" MODIFIED="1285786023866" COLOR="#111111">
1063. <font SIZE="12"/>
1064. <node TEXT="Example: GET /././scripts/.\./.\./samples/././../samples/vulnerable.aspx" ID="ID_1641996643" CREATED="1285786031498" MODIFIED="1285786080743" COLOR="#111111">
1065. <font SIZE="12"/>
1066. </node>
1067. </node>
1068. <node TEXT="Paper: A look at whisker&apos;s anti-IDS tactics" ID="ID_823208139" CREATED="1286055933570" MODIFIED="1286055947231" COLOR="#111111" LINK="http://www.wiretrip.net/rfp/txt/whiskerids.html">
1069. <font SIZE="12"/>
1070. </node>
1071. </node>
1072. <node TEXT="resilience against Insertion, Evasion, and Denial of Service" ID="ID_603440744" CREATED="1285785510760" MODIFIED="1285786152115" COLOR="#111111">
1073. <font SIZE="12"/>
1074. <node TEXT="Paper: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" ID="ID_890813868" CREATED="1286055893813" MODIFIED="1286055910499" COLOR="#111111" LINK="http://insecure.org/stf/secnet_ids/secnet_ids.html">
1075. <font SIZE="12"/>
1076. </node>
1077. </node>
1078. </node>
1079. <node TEXT="pattern matching signatures" ID="ID_564916655" CREATED="1285785311341" MODIFIED="1285785321465" COLOR="#990000">
1080. <font SIZE="14"/>
1081. <node TEXT="prominent example: snort signatures" ID="ID_1757216961" CREATED="1286013887320" MODIFIED="1286013902681" COLOR="#111111">
1082. <font SIZE="12"/>
1083. </node>
1084. <node TEXT="makes use of known text- or bit-patterns that are unique for attack" ID="ID_1945166627" CREATED="1286013906964" MODIFIED="1286014019917" COLOR="#111111">
1085. <font SIZE="12"/>
1086. </node>
1087. <node TEXT="relatively easy and quick to create from an attack sample" ID="ID_592422358" CREATED="1286014022524" MODIFIED="1286014089574" COLOR="#111111">
1088. <font SIZE="12"/>
1089. </node>
1090. <node TEXT="each signature detects only one specific attack and no variants of the same attack" ID="ID_823735165" CREATED="1286014090412" MODIFIED="1286014129302" COLOR="#111111">
1091. <font SIZE="12"/>
1092. </node>
1093. <node TEXT="as with antivirus, the number of signatures and demand for hardware resources grow linearly with the number of attacks and their variants" ID="ID_591073845" CREATED="1286014129733" MODIFIED="1286014433284" COLOR="#111111">
1094. <font SIZE="12"/>
1095. </node>
1096. <node TEXT="principle of blacklisting / enumerating badness, which is a flawed concept" ID="ID_117183046" CREATED="1286014175958" MODIFIED="1286014301299" COLOR="#111111">
1097. <font SIZE="12"/>
1098. <node TEXT="see #2 of &quot;The Six Dumbest Ideas in Computer Security&quot;" ID="ID_1541044956" CREATED="1286014302958" MODIFIED="1286014387206" COLOR="#111111" LINK="http://www.ranum.com/security/computer_security/editorials/dumb/">
1099. <font SIZE="12"/>
1100. </node>
1101. </node>
1102. </node>
1103. <node TEXT="protocol analysis" ID="ID_642311722" CREATED="1285785321845" MODIFIED="1285785327432" COLOR="#990000">
1104. <font SIZE="14"/>
1105. <node TEXT="knows how to parse and analyse protocols up to the application layer" ID="ID_81258441" CREATED="1286014454836" MODIFIED="1286014508284" COLOR="#111111">
1106. <font SIZE="12"/>
1107. </node>
1108. <node TEXT="detects protocol misuse (deviations from the standard as implemented and/or defined in the RFC or protocol specification)" ID="ID_1750759753" CREATED="1286014508789" MODIFIED="1286014580282" COLOR="#111111">
1109. <font SIZE="12"/>
1110. </node>
1111. <node TEXT="able to detect new and unknown attacks or new variants against known vulnerabilities" ID="ID_1068296787" CREATED="1286014581014" MODIFIED="1286014960681" COLOR="#111111">
1112. <font SIZE="12"/>
1113. </node>
1114. <node TEXT="komplex and difficult to implement / invites programming and logical errors in the IDS engine itself" ID="ID_1113566846" CREATED="1286014624687" MODIFIED="1286014670214" COLOR="#111111">
1115. <font SIZE="12"/>
1116. </node>
1117. <node TEXT="more generic alert messages, e.g. &quot;overflow in protocol field xyz&quot; or &quot;malformed L2TP SCCRQ&quot;" ID="ID_1854440556" CREATED="1286014676592" MODIFIED="1286014827715" COLOR="#111111">
1118. <font SIZE="12"/>
1119. </node>
1120. <node TEXT="initial cpu overhead larger than with pattern matching signatures, but growing less with number of attacks and vulnerabilities that can be detected" ID="ID_1862945043" CREATED="1286014838601" MODIFIED="1286014952074" COLOR="#111111">
1121. <font SIZE="12"/>
1122. </node>
1123. <node TEXT="protocol analysis on application layer also called &quot;application awareness&quot;" ID="ID_208678775" CREATED="1286014970945" MODIFIED="1286014992779" COLOR="#111111">
1124. <font SIZE="12"/>
1125. </node>
1126. <node TEXT="can also include lexical and semantic analysis of code, e.g. if an HTTP GET request includes a valid sql statement (sql injection) or only by coincidence includes some of the words" ID="ID_1294025188" CREATED="1286014994097" MODIFIED="1286015375540" COLOR="#111111">
1127. <font SIZE="12"/>
1128. <node TEXT="real SQLi: union select loadfile(&apos;/etc/passwd&apos;)" ID="ID_310703549" CREATED="1286015159243" MODIFIED="1286015341142" COLOR="#111111">
1129. <font SIZE="12" BOLD="false"/>
1130. </node>
1131. <node TEXT="not SQLi: &quot;State of the Union: Obama selects new head of Information Security...&quot;" ID="ID_1793810154" CREATED="1286015198459" MODIFIED="1286015338720" COLOR="#111111">
1132. <font SIZE="12" BOLD="false"/>
1133. </node>
1134. </node>
1135. <node TEXT="prominent example: protocol analysis modules (pam) of IBM Security Network Intrusion Prevention System, formerly known as Internet Security Systems Proventia, formerly known as NetworkICE Blackice" ID="ID_570816931" CREATED="1286015384954" MODIFIED="1286015491366" COLOR="#111111">
1136. <font SIZE="12"/>
1137. </node>
1138. </node>
1139. <node TEXT="behavioural analysis" ID="ID_552867124" CREATED="1285785327797" MODIFIED="1285785333510" COLOR="#990000">
1140. <font SIZE="14"/>
1141. <node TEXT="analyses behaviour from a higher level" ID="ID_551573316" CREATED="1286015518784" MODIFIED="1286015607625" COLOR="#111111">
1142. <font SIZE="12"/>
1143. </node>
1144. <node TEXT="uses behavioural patterns" ID="ID_776673462" CREATED="1286015570519" MODIFIED="1286015603965" COLOR="#111111">
1145. <font SIZE="12"/>
1146. </node>
1147. <node TEXT="network based behavioural analysis needs input from other detection methods" ID="ID_1550464747" CREATED="1286015619489" MODIFIED="1286015678630" COLOR="#111111">
1148. <font SIZE="12"/>
1149. <node TEXT="Example: a portscan to a target host was followed by outgoing IRC traffic to an external system and  portscans from the previously targeted system against other systems on the same internal network" ID="ID_1426442218" CREATED="1286015856383" MODIFIED="1286016115449" COLOR="#111111">
1150. <font SIZE="12"/>
1151. </node>
1152. </node>
1153. <node TEXT="host based behavioural analysis can analyse function calls, memory mappings etc. (in memory)" ID="ID_1557425762" CREATED="1286015679815" MODIFIED="1286015741479" COLOR="#111111">
1154. <font SIZE="12"/>
1155. <node TEXT="Example alert: program xyz hides process id, hooks system calls, installs itself as a driver, binds shell to tcp port...." ID="ID_1770904999" CREATED="1286015753343" MODIFIED="1286015849847" COLOR="#111111">
1156. <font SIZE="12"/>
1157. </node>
1158. </node>
1159. </node>
1160. <node TEXT="statistical anomaly detection" ID="ID_652626071" CREATED="1285785333876" MODIFIED="1285785346063" COLOR="#990000">
1161. <font SIZE="14"/>
1162. <node TEXT="prerequisite: learn what&apos;s &quot;normal&quot; traffic on your network" ID="ID_1426789587" CREATED="1286016133824" MODIFIED="1286016162834" COLOR="#111111">
1163. <font SIZE="12"/>
1164. </node>
1165. <node TEXT="detects deviations from &quot;normal&quot; communication relations" ID="ID_1511312685" CREATED="1286016163320" MODIFIED="1286016250115" COLOR="#111111">
1166. <font SIZE="12"/>
1167. <node TEXT="which ip addresses communicate with each other on a regular basis?" ID="ID_1283586463" CREATED="1286016251493" MODIFIED="1286016277169" COLOR="#111111">
1168. <font SIZE="12"/>
1169. </node>
1170. <node TEXT="and which protocols are the using?" ID="ID_240727" CREATED="1286016270389" MODIFIED="1286016279916" COLOR="#111111">
1171. <font SIZE="12"/>
1172. </node>
1173. <node TEXT="what&apos;s the amount of packets or bandwith that is &quot;normally&quot; used by each of these known connections" ID="ID_1219501817" CREATED="1286016281797" MODIFIED="1286016350955" COLOR="#111111">
1174. <font SIZE="12"/>
1175. </node>
1176. </node>
1177. <node TEXT="overall amount of packets and bandwith per protocol" ID="ID_705452875" CREATED="1286016354004" MODIFIED="1286016379187" COLOR="#111111">
1178. <font SIZE="12"/>
1179. </node>
1180. <node TEXT="ratio of ingress and egress traffic" ID="ID_1640274072" CREATED="1286016385084" MODIFIED="1286016396913" COLOR="#111111">
1181. <font SIZE="12"/>
1182. </node>
1183. <node TEXT="Example: Snort Statistical Anomaly Detection Enging (SPADE) (old)" ID="ID_662877496" CREATED="1286016398100" MODIFIED="1286016433049" COLOR="#111111">
1184. <font SIZE="12"/>
1185. </node>
1186. <node TEXT="not very specific on the kind of attack" ID="ID_1124088648" CREATED="1286016452019" MODIFIED="1286016460578" COLOR="#111111">
1187. <font SIZE="12"/>
1188. </node>
1189. <node TEXT="normal condition is difficult to define in  heterogeneous, growing and changing networks" ID="ID_773719544" CREATED="1286016461171" MODIFIED="1286016510745" COLOR="#111111">
1190. <font SIZE="12"/>
1191. </node>
1192. <node TEXT="relatively cost effective for broad coverage using netflow" ID="ID_1385382187" CREATED="1286016516905" MODIFIED="1286016584640" COLOR="#111111">
1193. <font SIZE="12"/>
1194. </node>
1195. </node>
1196. <node TEXT="policies" ID="ID_49285987" CREATED="1285785346460" MODIFIED="1285785352984" COLOR="#990000">
1197. <font SIZE="14"/>
1198. <node TEXT="principle of white listing: deny all, allow some" ID="ID_424844596" CREATED="1286016602854" MODIFIED="1286016615979" COLOR="#111111">
1199. <font SIZE="12"/>
1200. </node>
1201. <node TEXT="often combined with other detection methods" ID="ID_700901954" CREATED="1286016975846" MODIFIED="1286016985779" COLOR="#111111">
1202. <font SIZE="12"/>
1203. </node>
1204. <node TEXT="easy to implement" ID="ID_578500766" CREATED="1286016629926" MODIFIED="1286016644491" COLOR="#111111">
1205. <font SIZE="12"/>
1206. </node>
1207. <node TEXT="economises on hardware resources" ID="ID_1584220913" CREATED="1286016650855" MODIFIED="1286016662385" COLOR="#111111">
1208. <font SIZE="12"/>
1209. </node>
1210. <node TEXT="handy for realtime auditing without impacting availability or performance of productive services" ID="ID_1823260961" CREATED="1286016665549" MODIFIED="1286016707181" COLOR="#111111">
1211. <font SIZE="12"/>
1212. </node>
1213. <node TEXT="has to be updated as corporate policies change" ID="ID_1891394560" CREATED="1286016708747" MODIFIED="1286016798100" COLOR="#111111">
1214. <font SIZE="12"/>
1215. </node>
1216. <node TEXT="complements firewall and other policies" ID="ID_331847625" CREATED="1286016802320" MODIFIED="1286016840089" COLOR="#111111">
1217. <font SIZE="12"/>
1218. </node>
1219. <node TEXT="Example: Firewall has to allow outgoing HTTP and cannot detect Skype or other connections within HTTP that are being prohibited. An IDS combining pattern matching signatures (e.g. for skype client startup messages) with policy can detect this" ID="ID_242270338" CREATED="1286016840648" MODIFIED="1286016967054" COLOR="#111111">
1220. <font SIZE="12"/>
1221. </node>
1222. </node>
1223. <node TEXT="reputation services" ID="ID_1421724855" CREATED="1285785353563" MODIFIED="1285785361693" COLOR="#990000">
1224. <font SIZE="14"/>
1225. <node TEXT="uses public databases of known bad hosts" ID="ID_1523111777" CREATED="1286017063924" MODIFIED="1286017201090" COLOR="#111111">
1226. <font SIZE="12"/>
1227. <node TEXT="blacklists" ID="ID_1852321768" CREATED="1286017097242" MODIFIED="1286017102269" COLOR="#111111">
1228. <font SIZE="12"/>
1229. </node>
1230. <node TEXT="greylists" ID="ID_70068560" CREATED="1286017102684" MODIFIED="1286017106950" COLOR="#111111">
1231. <font SIZE="12"/>
1232. </node>
1233. <node TEXT="known botnet C&amp;C ip addresses" ID="ID_488068421" CREATED="1286017107259" MODIFIED="1286017115957" COLOR="#111111">
1234. <font SIZE="12"/>
1235. </node>
1236. <node TEXT="known malware domain names" ID="ID_576129368" CREATED="1286017116342" MODIFIED="1286017133577" COLOR="#111111">
1237. <font SIZE="12"/>
1238. </node>
1239. </node>
1240. <node TEXT="leverages knowledge and experience of the worldwide security community" ID="ID_193977161" CREATED="1286017143803" MODIFIED="1286017227884" COLOR="#111111">
1241. <font SIZE="12"/>
1242. </node>
1243. <node TEXT="good complement to alerts from pattern matching signatures" ID="ID_1222971723" CREATED="1286017022661" MODIFIED="1286017063450" COLOR="#111111">
1244. <font SIZE="12"/>
1245. </node>
1246. <node TEXT="easy to implement" ID="ID_1329630819" CREATED="1286017235288" MODIFIED="1286017239994" COLOR="#111111">
1247. <font SIZE="12"/>
1248. </node>
1249. <node TEXT="information is quickly outdated / often incorrect" ID="ID_1557308595" CREATED="1286017241408" MODIFIED="1286017269040" COLOR="#111111">
1250. <font SIZE="12"/>
1251. </node>
1252. <node TEXT="only suitable as an additional intelligence source for sorting out alerts that most probably indicate a real attack from those that probably are a false positive" ID="ID_719354175" CREATED="1286017270078" MODIFIED="1286017364237" COLOR="#111111">
1253. <font SIZE="12"/>
1254. </node>
1255. </node>
1256. </node>
1257. <node TEXT="IDWG (concluded WG of the IETF)" ID="ID_1679330683" CREATED="1286211130531" MODIFIED="1286211286837" COLOR="#00b439" LINK="http://tools.ietf.org/wg/idwg/">
1258. <font SIZE="16"/>
1259. <edge STYLE="bezier" WIDTH="thin"/>
1260. <node TEXT="Common Intrusion Detection Framework (CIDF)" ID="ID_99139115" CREATED="1286211280455" MODIFIED="1286211511716" COLOR="#990000" LINK="http://insecure.org/stf/secnet_ids/evasion-figure1.gif">
1261. <font SIZE="14"/>
1262. </node>
1263. <node TEXT="Intrusion Detection Exchange Format (IDMEF)" ID="ID_1641199689" CREATED="1286211742949" MODIFIED="1286211766844" COLOR="#990000" LINK="http://www.ietf.org/rfc/rfc4765.txt">
1264. <font SIZE="14"/>
1265. </node>
1266. </node>
1267. </node>
1268. <node TEXT="correlation" POSITION="left" ID="ID_1747326815" CREATED="1286017427051" MODIFIED="1286018216408" COLOR="#0033ff">
1269. <font SIZE="18"/>
1270. <edge STYLE="sharp_bezier" WIDTH="8"/>
1271. <node TEXT="correlation describes the relation between two or more variables, which does not have to be necessarily causal" ID="ID_32041418" CREATED="1286017581816" MODIFIED="1286018216431" COLOR="#00b439">
1272. <font SIZE="16"/>
1273. <edge STYLE="bezier" WIDTH="thin"/>
1274. </node>
1275. <node TEXT="time correlation: wich events fit together in a time based context?" ID="ID_1954684088" CREATED="1286017689260" MODIFIED="1286018216437" COLOR="#00b439">
1276. <font SIZE="16"/>
1277. <edge STYLE="bezier" WIDTH="thin"/>
1278. </node>
1279. <node TEXT="behaviour: do certain events correlate with a typical known attack behaviour" ID="ID_550586880" CREATED="1286017743586" MODIFIED="1286018216446" COLOR="#00b439">
1280. <font SIZE="16"/>
1281. <edge STYLE="bezier" WIDTH="thin"/>
1282. </node>
1283. <node TEXT="attack/host/service/vulnerability correlation" ID="ID_868677934" CREATED="1286017792416" MODIFIED="1286018216452" COLOR="#00b439">
1284. <font SIZE="16"/>
1285. <edge STYLE="bezier" WIDTH="thin"/>
1286. <node TEXT="does the attacked host run the service that is being attacked?" ID="ID_1929669229" CREATED="1286017840854" MODIFIED="1286018216452" COLOR="#990000">
1287. <font SIZE="14"/>
1288. </node>
1289. <node TEXT="does the targeted service have the vulnerability or a potentially vulnerable version?" ID="ID_1711031058" CREATED="1286017843103" MODIFIED="1286018216453" COLOR="#990000">
1290. <font SIZE="14"/>
1291. </node>
1292. </node>
1293. <node TEXT="is the attack source a known &quot;bad&quot; host? (reputation)" ID="ID_1401191048" CREATED="1286017932404" MODIFIED="1286018216455" COLOR="#00b439">
1294. <font SIZE="16"/>
1295. <edge STYLE="bezier" WIDTH="thin"/>
1296. </node>
1297. <node TEXT="what is the geo-ip reputation of the originating ip? (maybe alerts that originate from some geographic area or country are less often false positives than others)" ID="ID_1074696655" CREATED="1286017965235" MODIFIED="1286018216481" COLOR="#00b439">
1298. <font SIZE="16"/>
1299. <edge STYLE="bezier" WIDTH="thin"/>
1300. </node>
1301. </node>
1302. <node TEXT="vulnerability databases" POSITION="right" ID="ID_1437440953" CREATED="1286018264429" MODIFIED="1286018552417" COLOR="#0033ff">
1303. <font SIZE="18"/>
1304. <edge STYLE="sharp_bezier" WIDTH="8"/>
1305. <node TEXT="CVE, OSVDB, Exploit-DB, Bugtraq, Vupen, Secunia, eEye, ..." ID="ID_742411990" CREATED="1286018304724" MODIFIED="1286018343678" COLOR="#00b439">
1306. <font SIZE="16"/>
1307. <edge STYLE="bezier" WIDTH="thin"/>
1308. </node>
1309. <node TEXT="knowledge base of known vulnerabilities, weaknesses, impact/criticality score, affected versions, workarounds, available patches, available exploits etc." ID="ID_1762645785" CREATED="1286018344413" MODIFIED="1286018545398" COLOR="#00b439">
1310. <font SIZE="16"/>
1311. <edge STYLE="bezier" WIDTH="thin"/>
1312. </node>
1313. <node TEXT="problem: there is no universal, vendor indipendent, standardised reference that could be used to map any vulnerability, weakness, product to IDS alerts." ID="ID_1906127368" CREATED="1286018393101" MODIFIED="1286018487938" COLOR="#00b439">
1314. <font SIZE="16"/>
1315. <edge STYLE="bezier" WIDTH="thin"/>
1316. </node>
1317. <node TEXT="CVE is the only common denominator, which does not cover everything" ID="ID_94814474" CREATED="1286018488438" MODIFIED="1286018515856" COLOR="#00b439">
1318. <font SIZE="16"/>
1319. <edge STYLE="bezier" WIDTH="thin"/>
1320. </node>
1321. <node TEXT="a locally installed and regularly updated vulnerability database/knowledge base should be part of any IDS product" ID="ID_755955765" CREATED="1286018554860" MODIFIED="1286018601470" COLOR="#00b439">
1322. <font SIZE="16"/>
1323. <edge STYLE="bezier" WIDTH="thin"/>
1324. </node>
1325. </node>
1326. <node TEXT="intrusion detection wall of fame" POSITION="right" ID="ID_1221929902" CREATED="1286212331357" MODIFIED="1286212356604" COLOR="#0033ff">
1327. <font SIZE="18"/>
1328. <edge STYLE="sharp_bezier" WIDTH="8"/>
1329. <node TEXT="Clifford Stoll" ID="ID_1625900681" CREATED="1286212371548" MODIFIED="1286212384766" COLOR="#00b439">
1330. <font SIZE="16"/>
1331. <edge STYLE="bezier" WIDTH="thin"/>
1332. <node TEXT="tracked down german folks hacking into computers by initially investigating a $0.75 accounting error in the computer usage accounts" ID="ID_52371815" CREATED="1286213879147" MODIFIED="1286214041310" COLOR="#990000">
1333. <font SIZE="14"/>
1334. </node>
1335. </node>
1336. <node TEXT="Marcus J. Ranum" ID="ID_1557868724" CREATED="1286212359668" MODIFIED="1286212365237" COLOR="#00b439">
1337. <font SIZE="16"/>
1338. <edge STYLE="bezier" WIDTH="thin"/>
1339. <node TEXT="designed the NFR Network Flight Recorder IDS" ID="ID_1207514877" CREATED="1286214043799" MODIFIED="1286214059777" COLOR="#990000">
1340. <font SIZE="14"/>
1341. </node>
1342. </node>
1343. <node TEXT="Robert Graham" ID="ID_985629532" CREATED="1286212365757" MODIFIED="1286212370929" COLOR="#00b439">
1344. <font SIZE="16"/>
1345. <edge STYLE="bezier" WIDTH="thin"/>
1346. <node TEXT="designed the NetworkICE BlackICE protocol analysis based IDS/IPS product" ID="ID_788425007" CREATED="1286214060214" MODIFIED="1286214083222" COLOR="#990000">
1347. <font SIZE="14"/>
1348. </node>
1349. </node>
1350. <node TEXT="Stephen Northcutt" ID="ID_429193792" CREATED="1286212396043" MODIFIED="1286212404811" COLOR="#00b439">
1351. <font SIZE="16"/>
1352. <edge STYLE="bezier" WIDTH="thin"/>
1353. <node TEXT="developer of the Shadow intrusion detection system, book author, president of SANS institute, founder of the GIAC certification at SANS" ID="ID_945164711" CREATED="1286214174563" MODIFIED="1286214320544" COLOR="#990000">
1354. <font SIZE="14"/>
1355. </node>
1356. </node>
1357. <node TEXT="Chris Claus" ID="ID_667486146" CREATED="1286212433243" MODIFIED="1286212436774" COLOR="#00b439">
1358. <font SIZE="16"/>
1359. <edge STYLE="bezier" WIDTH="thin"/>
1360. <node TEXT="founder and former CTO of Internet Security Systems" ID="ID_1923678087" CREATED="1286214356869" MODIFIED="1286214359382" COLOR="#990000">
1361. <font SIZE="14"/>
1362. </node>
1363. </node>
1364. <node TEXT="Ron Gula" ID="ID_620598613" CREATED="1286212587390" MODIFIED="1286212590645" COLOR="#00b439">
1365. <font SIZE="16"/>
1366. <edge STYLE="bezier" WIDTH="thin"/>
1367. <node TEXT="designer of the Dragon IDS (Enterasys)" ID="ID_726810005" CREATED="1286214389924" MODIFIED="1286214401590" COLOR="#990000">
1368. <font SIZE="14"/>
1369. </node>
1370. </node>
1371. <node TEXT="Marty Roesch" ID="ID_737116004" CREATED="1286212724626" MODIFIED="1286213337031" COLOR="#00b439">
1372. <font SIZE="16"/>
1373. <edge STYLE="bezier" WIDTH="thin"/>
1374. <node TEXT="originally and initially designed the Snort IDS, founder of Sourcefire" ID="ID_234729630" CREATED="1286214402068" MODIFIED="1286214440448" COLOR="#990000">
1375. <font SIZE="14"/>
1376. </node>
1377. </node>
1378. <node TEXT="Judy Novak" ID="ID_1125353353" CREATED="1297976467058" MODIFIED="1297976507816" COLOR="#00b439">
1379. <font SIZE="16"/>
1380. <edge STYLE="bezier" WIDTH="thin"/>
1381. <node TEXT="Co author with Stephen Northcutt of &quot;Network Intrusion Detection&quot;, trainer at SANS, 2010 recipient of a SANS Lifetime Achievement award" ID="ID_1065642801" CREATED="1297976536744" MODIFIED="1297976763591" COLOR="#990000">
1382. <font SIZE="14"/>
1383. </node>
1384. </node>
1385. </node>
1386. <node TEXT="Books" POSITION="left" ID="ID_1522262233" CREATED="1286213377169" MODIFIED="1286213394125" COLOR="#0033ff">
1387. <font SIZE="18"/>
1388. <edge STYLE="sharp_bezier" WIDTH="8"/>
1389. <node TEXT="Intrusion Signatures and Analysis by Matt Fearnow, Stephen Northcutt, Karen Frederick, and Mark Cooper (Paperback - Jan 29, 2001)" ID="ID_968926904" CREATED="1286213476423" MODIFIED="1286213511668" COLOR="#00b439">
1390. <font SIZE="16"/>
1391. <edge STYLE="bezier" WIDTH="thin"/>
1392. </node>
1393. <node TEXT="Network Intrusion Detection: An Analysts&apos; Handbook by Stephen Northcutt" ID="ID_1591370485" CREATED="1286213512389" MODIFIED="1286213539686" COLOR="#00b439">
1394. <font SIZE="16"/>
1395. <edge STYLE="bezier" WIDTH="thin"/>
1396. </node>
1397. <node TEXT="Intrusion Detection und Prevention mit Snort &amp; Co. by Ralf Spenneberg" ID="ID_1269112405" CREATED="1286213570451" MODIFIED="1286213578411" COLOR="#00b439">
1398. <font SIZE="16"/>
1399. <edge STYLE="bezier" WIDTH="thin"/>
1400. </node>
1401. <node TEXT="Snort IDS and IPS Toolkit (Jay Beale&apos;s Open Source Security) by Brian Caswell, Jay Beale, and Andrew Baker (Paperback - Feb 1, 2007)" ID="ID_380081492" CREATED="1286213606625" MODIFIED="1286213608360" COLOR="#00b439">
1402. <font SIZE="16"/>
1403. <edge STYLE="bezier" WIDTH="thin"/>
1404. </node>
1405. <node TEXT="Know Your Enemy: Learning about Security Threats (2nd Edition) by&#xa;The Honeynet Project" ID="ID_188409289" CREATED="1286213643329" MODIFIED="1286213664352" COLOR="#00b439">
1406. <font SIZE="16"/>
1407. <edge STYLE="bezier" WIDTH="thin"/>
1408. </node>
1409. <node TEXT="The Cuckoo&apos;s Egg by Cliff Stoll" ID="ID_187663407" CREATED="1286213799421" MODIFIED="1286213804795" COLOR="#00b439">
1410. <font SIZE="16"/>
1411. <edge STYLE="bezier" WIDTH="thin"/>
1412. </node>
1413. </node>
1414. <node TEXT="historic Intrusion Detection Systems and research" POSITION="right" ID="ID_443622604" CREATED="1286212473407" MODIFIED="1286215028493" COLOR="#0033ff">
1415. <font SIZE="18"/>
1416. <edge STYLE="sharp_bezier" WIDTH="8"/>
1417. <node TEXT="Symantec Article on IDS history" ID="ID_1429920899" CREATED="1286214597350" MODIFIED="1286215028497" COLOR="#00b439" LINK="http://www.symantec.com/connect/articles/evolution-intrusion-detection-systems">
1418. <font SIZE="16"/>
1419. <edge STYLE="bezier" WIDTH="thin"/>
1420. </node>
1421. <node TEXT="Intrusion Detection Expert System (IDES)" ID="ID_945842806" CREATED="1286214562675" MODIFIED="1286215028498" COLOR="#00b439">
1422. <font SIZE="16"/>
1423. <edge STYLE="bezier" WIDTH="thin"/>
1424. </node>
1425. <node TEXT="Shadow IDS" ID="ID_1067126467" CREATED="1286214453371" MODIFIED="1286215028500" COLOR="#00b439">
1426. <font SIZE="16"/>
1427. <edge STYLE="bezier" WIDTH="thin"/>
1428. </node>
1429. <node TEXT="stalker" ID="ID_972687191" CREATED="1286214660272" MODIFIED="1286215028501" COLOR="#00b439">
1430. <font SIZE="16"/>
1431. <edge STYLE="bezier" WIDTH="thin"/>
1432. </node>
1433. <node TEXT="ASIM" ID="ID_499691457" CREATED="1286214672492" MODIFIED="1286215028502" COLOR="#00b439">
1434. <font SIZE="16"/>
1435. <edge STYLE="bezier" WIDTH="thin"/>
1436. </node>
1437. <node TEXT="NFR" ID="ID_454093234" CREATED="1286214458705" MODIFIED="1286215028504" COLOR="#00b439">
1438. <font SIZE="16"/>
1439. <edge STYLE="bezier" WIDTH="thin"/>
1440. </node>
1441. <node TEXT="ISS RealSecure" ID="ID_410322024" CREATED="1286214468193" MODIFIED="1286215028505" COLOR="#00b439">
1442. <font SIZE="16"/>
1443. <edge STYLE="bezier" WIDTH="thin"/>
1444. </node>
1445. <node TEXT="NetworkICE BlackICE" ID="ID_87896667" CREATED="1286214477874" MODIFIED="1286215028507" COLOR="#00b439">
1446. <font SIZE="16"/>
1447. <edge STYLE="bezier" WIDTH="thin"/>
1448. </node>
1449. <node TEXT="Netranger IDS" ID="ID_915911292" CREATED="1286214773713" MODIFIED="1286215028508" COLOR="#00b439">
1450. <font SIZE="16"/>
1451. <edge STYLE="bezier" WIDTH="thin"/>
1452. </node>
1453. <node TEXT="SRI EMERALD" ID="ID_1263073407" CREATED="1286214872942" MODIFIED="1286215028510" COLOR="#00b439" LINK="http://www.csl.sri.com/projects/emerald/">
1454. <font SIZE="16"/>
1455. <edge STYLE="bezier" WIDTH="thin"/>
1456. </node>
1457. <node TEXT="GrIDS: A Graph-Based Intrusion Detection System" ID="ID_100554990" CREATED="1286214932802" MODIFIED="1286215028511" COLOR="#00b439">
1458. <font SIZE="16"/>
1459. <edge STYLE="bezier" WIDTH="thin"/>
1460. </node>
1461. </node>
1462. <node TEXT="about this mindmap" POSITION="left" ID="ID_1705349363" CREATED="1286215115983" MODIFIED="1286215120345" COLOR="#0033ff">
1463. <font SIZE="18"/>
1464. <edge STYLE="sharp_bezier" WIDTH="8"/>
1465. <node TEXT="contributors" ID="ID_1815632294" CREATED="1286019838161" MODIFIED="1286215147319" COLOR="#00b439">
1466. <font SIZE="16"/>
1467. <edge STYLE="bezier" WIDTH="thin"/>
1468. <node TEXT="Detmar Liesen" ID="ID_802534138" CREATED="1286019844804" MODIFIED="1286215147320" COLOR="#990000">
1469. <font SIZE="14"/>
1470. <edge STYLE="bezier" WIDTH="thin"/>
1471. </node>
1472. </node>
1473. <node TEXT="mindmap version history" ID="ID_104088000" CREATED="1286053783074" MODIFIED="1286215150115" COLOR="#00b439">
1474. <font SIZE="16"/>
1475. <edge STYLE="bezier" WIDTH="thin"/>
1476. <node TEXT="Version 0.2 - corrected some typos, added more product references and links" ID="ID_1172462668" CREATED="1286053798435" MODIFIED="1286215150124" COLOR="#990000">
1477. <font SIZE="14"/>
1478. <edge STYLE="bezier" WIDTH="thin"/>
1479. </node>
1480. <node TEXT="Version 0.3 2010-10-04 corrected more typos, added books, ids wall of fame, historic ids stuff" ID="ID_1401180726" CREATED="1286215159390" MODIFIED="1286215195821" COLOR="#990000">
1481. <font SIZE="14"/>
1482. </node>
1483. <node TEXT="Version 0.4 2011-02-17 added Judy Novak to IDS hall of fame ;-)" ID="ID_1706136255" CREATED="1297976811267" MODIFIED="1297976838238" COLOR="#990000">
1484. <font SIZE="14"/>
1485. </node>
1486. </node>
1487. <node TEXT="license" ID="ID_526956219" CREATED="1286019852950" MODIFIED="1286215154191" COLOR="#00b439">
1488. <font SIZE="16" BOLD="true"/>
1489. <edge STYLE="bezier" WIDTH="thin"/>
1490. <node TEXT="this mindmap is licensed cc-by-sa&#xa;http://creativecommons.org/licenses/by-sa/3.0/" ID="ID_1021239747" CREATED="1286020061087" MODIFIED="1286215154199" COLOR="#990000">
1491. <font SIZE="14"/>
1492. <edge STYLE="bezier" WIDTH="thin"/>
1493. </node>
1494. </node>
1495. </node>
1496. </node>
1497. </map>