Ayoi’s

Suddenly it popped up in my mind. Why? When our researcher asked me to help him in gathering all available attack packets or traffics for him. I told him, instead of we trying to identify/categorizing/accumulating/storing all the attacks traffics in order to understand the attacks pattern, why not we identify the normal traffics for the monitored segments and any significant deviation from this normal traffics can be considered suspicious. Even the main rule of writing snort rules is always capture the vulnerability and not the attack tools. The reason? There are thousands of attack pattern for a vulnerability. We can never fully record all the attack methods. It’s quite impossible IMHO. And of cause there is no way we can identify any 0-dayz attacks if we concentrating on enumerating attacks instead of concentrating on the normal traffics.

One of the ICT Security DUMB ideas in motion I guess..

Comments RSS