Can you give a thumbnail explanation of how you modeled nomalous traffic? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Friday, December 23, 2005 1:55 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Christmas > > http://www.ISAserver.org > > Yes, it is indeed more complex that one would initially > consider. When I > was building the framework for Strikeback, the first response > model was a > simple signature-based system, just like a static > access-list. The second > generation response model was based on a concept of > "anomalous traffic > detection and response," where my goal was to be able to > detect variants in > traffic patterns, identify (or better, "quantify") the > differentiation, > extract out relevant details based on "normal" traffic > metrics, and to then > dynamically generate a rule for response. Just getting to > where one could > detect anomalous traffic was challenging. > > I designed an architecture where the overall process was > driven by layered > role-based-modals, each responsible for and dedicated to a > particular piece > of the analysis with appropriate channels between layers for > data exchange. > I wouldn't mind sharing the architecture with your team if > you think it > might be mutually beneficial. > > t > > ----- > "I may disapprove of what you say, > but I will defend to the death your > right to say it." > > > ----- Original Message ----- > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Friday, December 23, 2005 11:12 AM > Subject: [isalist] RE: Christmas > > > > http://www.ISAserver.org > > > > You're kidding, but there's been some discussion about the > possibility > > to "evaluate this pattern and derive a policy from it". > > > > It's far more complex than you might imagine, especially > when all you > > get from logs is what happened the last time. > > > > -------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > -------------------------------------------- > > > > -----Original Message----- > > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx] > > Sent: Friday, December 23, 2005 10:22 AM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Christmas > > > > http://www.ISAserver.org > > > > Tom: > > > > Do you thing MS would come out with ISA 2006 which will obey voice > > commands? Kind of a SBS wizard fashion with voice recognition!!!! > > > > "Hey ISA - Allow email and RPC/Http now" etc. > > > > Joseph F. Danielsen, MCSA-Messaging, MCP > > Network Blade Inc. > > 49 Marcy Street > > Somerset, NJ 08873 > > (732) 213-0600 > > www.NetworkBlade.Com > > > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Friday, December 23, 2005 1:18 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] Re: christmas > > > > http://www.ISAserver.org > > > > Merry Christmas to all! > > > > Its been a great year and I've had a great time on this > list. Made a lot > > of new friends and learned a lot of new stuff, which is > what this is all > > about. Thanks to everyone for their participation and support (both > > technical and emotional :) and I'm looking forward to a > great 2006, and > > maybe even a new ISA firewall product in that year (cross > my fingers). > > > > This is the first year in over a decade that actually > forced myself to > > take time off. So this year Thor is going to have do my share of the > > work that's usually done at this time of year :))) > > > > Thanks! > > > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > >> -----Original Message----- > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > >> Sent: Thursday, December 22, 2005 11:23 PM > >> To: [ISAserver.org Discussion List] > >> Subject: [isalist] Re: christmas > >> > >> http://www.ISAserver.org > >> > >> Merry XMas to you guys as well. I, unfortunately, must work > >> through the > >> XMas weekend... Funny thing is I'll be in the air more than > >> on the ground > >> for 3 days :( > >> > >> t > >> > >> ----- > >> "I may disapprove of what you say, > >> but I will defend to the death your > >> right to say it." > >> > >> > >> ----- Original Message ----- > >> From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx> > >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > >> Sent: Thursday, December 22, 2005 3:09 PM > >> Subject: [isalist] christmas > >> > >> > >> http://www.ISAserver.org > >> > >> Dont all jump at once to wish everyone a merry christmas will ya! > >> > >> Enjoyed the list this year,, hope everyone has a great > christmas.. be > >> safe and merry > >> > >> Greg > >> > >> > >> ------------------------------------------------------ > >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >> ------------------------------------------------------ > >> Visit TechGenix.com for more information about our other sites: > >> http://www.techgenix.com > >> ------------------------------------------------------ > >> You are currently subscribed to this ISAserver.org Discussion > >> List as: > >> thor@xxxxxxxxxxxxxxx > >> To unsubscribe visit > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> Report abuse to listadmin@xxxxxxxxxxxxx > >> > >> > >> ------------------------------------------------------ > >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > >> ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > >> ------------------------------------------------------ > >> Visit TechGenix.com for more information about our other sites: > >> http://www.techgenix.com > >> ------------------------------------------------------ > >> You are currently subscribed to this ISAserver.org Discussion > >> List as: tshinder@xxxxxxxxxxxxxxxxxx > >> To unsubscribe visit > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist > >> Report abuse to listadmin@xxxxxxxxxxxxx > >> > >> > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jdanielsen@xxxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > thor@xxxxxxxxxxxxxxx > > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >