Yes, it is indeed more complex that one would initially consider. When I
was building the framework for Strikeback, the first response model was a
simple signature-based system, just like a static access-list. The second
generation response model was based on a concept of "anomalous traffic
detection and response," where my goal was to be able to detect variants in
traffic patterns, identify (or better, "quantify") the differentiation,
extract out relevant details based on "normal" traffic metrics, and to then
dynamically generate a rule for response. Just getting to where one could
detect anomalous traffic was challenging.
I designed an architecture where the overall process was driven by layered
role-based-modals, each responsible for and dedicated to a particular piece
of the analysis with appropriate channels between layers for data exchange.
I wouldn't mind sharing the architecture with your team if you think it
might be mutually beneficial.
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
http://www.ISAserver.org
You're kidding, but there's been some discussion about the possibility to "evaluate this pattern and derive a policy from it".
It's far more complex than you might imagine, especially when all you get from logs is what happened the last time.
-------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! --------------------------------------------
-----Original Message----- From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx] Sent: Friday, December 23, 2005 10:22 AM To: [ISAserver.org Discussion List] Subject: [isalist] Christmas
http://www.ISAserver.org
Tom:
Do you thing MS would come out with ISA 2006 which will obey voice commands? Kind of a SBS wizard fashion with voice recognition!!!!
"Hey ISA - Allow email and RPC/Http now" etc.
Joseph F. Danielsen, MCSA-Messaging, MCP Network Blade Inc. 49 Marcy Street Somerset, NJ 08873 (732) 213-0600 www.NetworkBlade.Com
-----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, December 23, 2005 1:18 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: christmas
http://www.ISAserver.org
Merry Christmas to all!
Its been a great year and I've had a great time on this list. Made a lot of new friends and learned a lot of new stuff, which is what this is all about. Thanks to everyone for their participation and support (both technical and emotional :) and I'm looking forward to a great 2006, and maybe even a new ISA firewall product in that year (cross my fingers).
This is the first year in over a decade that actually forced myself to take time off. So this year Thor is going to have do my share of the work that's usually done at this time of year :)))
Thanks!
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Thursday, December 22, 2005 11:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: christmas
http://www.ISAserver.org
Merry XMas to you guys as well. I, unfortunately, must work through the XMas weekend... Funny thing is I'll be in the air more than on the ground for 3 days :(
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
----- Original Message ----- From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, December 22, 2005 3:09 PM
Subject: [isalist] christmas
http://www.ISAserver.org
Dont all jump at once to wish everyone a merry christmas will ya!
Enjoyed the list this year,, hope everyone has a great christmas.. be safe and merry
Greg
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jdanielsen@xxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx