RE: Christmas
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 23 Dec 2005 14:19:43 -0600
Can you give a thumbnail explanation of how you modeled nomalous
traffic?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Friday, December 23, 2005 1:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Christmas
>
> http://www.ISAserver.org
>
> Yes, it is indeed more complex that one would initially
> consider. When I
> was building the framework for Strikeback, the first response
> model was a
> simple signature-based system, just like a static
> access-list. The second
> generation response model was based on a concept of
> "anomalous traffic
> detection and response," where my goal was to be able to
> detect variants in
> traffic patterns, identify (or better, "quantify") the
> differentiation,
> extract out relevant details based on "normal" traffic
> metrics, and to then
> dynamically generate a rule for response. Just getting to
> where one could
> detect anomalous traffic was challenging.
>
> I designed an architecture where the overall process was
> driven by layered
> role-based-modals, each responsible for and dedicated to a
> particular piece
> of the analysis with appropriate channels between layers for
> data exchange.
> I wouldn't mind sharing the architecture with your team if
> you think it
> might be mutually beneficial.
>
> t
>
> -----
> "I may disapprove of what you say,
> but I will defend to the death your
> right to say it."
>
>
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, December 23, 2005 11:12 AM
> Subject: [isalist] RE: Christmas
>
>
> > http://www.ISAserver.org
> >
> > You're kidding, but there's been some discussion about the
> possibility
> > to "evaluate this pattern and derive a policy from it".
> >
> > It's far more complex than you might imagine, especially
> when all you
> > get from logs is what happened the last time.
> >
> > --------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > --------------------------------------------
> >
> > -----Original Message-----
> > From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx]
> > Sent: Friday, December 23, 2005 10:22 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Christmas
> >
> > http://www.ISAserver.org
> >
> > Tom:
> >
> > Do you thing MS would come out with ISA 2006 which will obey voice
> > commands? Kind of a SBS wizard fashion with voice recognition!!!!
> >
> > "Hey ISA - Allow email and RPC/Http now" etc.
> >
> > Joseph F. Danielsen, MCSA-Messaging, MCP
> > Network Blade Inc.
> > 49 Marcy Street
> > Somerset, NJ 08873
> > (732) 213-0600
> > www.NetworkBlade.Com
> >
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Friday, December 23, 2005 1:18 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: christmas
> >
> > http://www.ISAserver.org
> >
> > Merry Christmas to all!
> >
> > Its been a great year and I've had a great time on this
> list. Made a lot
> > of new friends and learned a lot of new stuff, which is
> what this is all
> > about. Thanks to everyone for their participation and support (both
> > technical and emotional :) and I'm looking forward to a
> great 2006, and
> > maybe even a new ISA firewall product in that year (cross
> my fingers).
> >
> > This is the first year in over a decade that actually
> forced myself to
> > take time off. So this year Thor is going to have do my share of the
> > work that's usually done at this time of year :)))
> >
> > Thanks!
> >
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> >> -----Original Message-----
> >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> >> Sent: Thursday, December 22, 2005 11:23 PM
> >> To: [ISAserver.org Discussion List]
> >> Subject: [isalist] Re: christmas
> >>
> >> http://www.ISAserver.org
> >>
> >> Merry XMas to you guys as well. I, unfortunately, must work
> >> through the
> >> XMas weekend... Funny thing is I'll be in the air more than
> >> on the ground
> >> for 3 days :(
> >>
> >> t
> >>
> >> -----
> >> "I may disapprove of what you say,
> >> but I will defend to the death your
> >> right to say it."
> >>
> >>
> >> ----- Original Message -----
> >> From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
> >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> >> Sent: Thursday, December 22, 2005 3:09 PM
> >> Subject: [isalist] christmas
> >>
> >>
> >> http://www.ISAserver.org
> >>
> >> Dont all jump at once to wish everyone a merry christmas will ya!
> >>
> >> Enjoyed the list this year,, hope everyone has a great
> christmas.. be
> >> safe and merry
> >>
> >> Greg
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion
> >> List as:
> >> thor@xxxxxxxxxxxxxxx
> >> To unsubscribe visit
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >> ------------------------------------------------------
> >> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> >> ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> >> ------------------------------------------------------
> >> Visit TechGenix.com for more information about our other sites:
> >> http://www.techgenix.com
> >> ------------------------------------------------------
> >> You are currently subscribed to this ISAserver.org Discussion
> >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> >> To unsubscribe visit
> >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> >> Report abuse to listadmin@xxxxxxxxxxxxx
> >>
> >>
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jdanielsen@xxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
