Firewall Wizards mailing list archives

Re: future of IDS

From: "Stephen P. Gibbons" <steve () aztech net>
Date: Mon, 19 Oct 1998 22:44:15 -0700

Crispin Cowan wrote:

"Stephen P. Gibbons" wrote:

For example, wouldn't it be neat if there was a standardized,
IDS-aware, and reliable way for applications to indicate that
"Required authentication failed for resource X, reason Y"
"Reason Y" is information that won't necessarily be available
to a passive IDS, but can be used by an IDS in determining
what action to take in response: extra logging, shunning,
whatever.


Wouldn't it be neat if there was an IDS standard such that
StackGuard-protected programs could complain about stack smashing attempts
such that someone would listen?


This would be an obvious "next step" to what I was proposing.

IMHO, niether syslog nor SNMP "cut it" for this purpose.


I'm currently using syslog for this purpose.  I agree, I'd rather use
something else (or at least something in addition to syslog).


IDS alert messages have lots of interesting characteristics.I think that
inter-node IDS alerts need to be as secure (or more
secure than) the system audit logs.

The IDS would not have to be taught how to decipher each
new protocol, it would instead understand the standard "Hey,
IDS, here's an auth-failed message, take note!"


The difficulty seems to be that there are many kinds of events to be
communicated via such a protocol.  For instance, some events are merely
suspicious ("that looks like a similar pattern to an attack I once saw"), some
events are very suspicious ("that looks EXACTLY like an attack pattern I know
about"), some events are dead certain (StackGuard intrusion events), and some
events have no significance at all unless taken in context (port scanning).  A
protocol that only allows you to report authentication failure isn't enough.


I chose the "auth failed" example as the most obvious hook into an IDS, it wasonly
an example.  Pattern detection is probably best performed (relatively)
centrally (with localized short-cuts.).

The CIDF effort (http://olympus.cs.ucdavis.edu/cidf/) is trying to come to a
consensus on such a protocol so that a wide variety of IDS instruments can
cooperate to build something that can actually be described as an intrusion
detection *system*.


Yeah, the CIDF stuff seems relatively reasonable, if overly complexicated.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98


 --
Steve

Current thread:

RE: future of IDS, (continued)
- RE: future of IDS Tupshin Harper (Oct 16)
  - Re: future of IDS Adam Shostack (Oct 19)
    - Re: future of IDS John Ladwig (Oct 23)
  - RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- Re: future of IDS Vern Paxson (Oct 16)
  - Re: future of IDS Stephen P. Gibbons (Oct 19)
    - Re: future of IDS Crispin Cowan (Oct 23)
    - Re: future of IDS Stephen P. Gibbons (Oct 23)
  - Re: future of IDS Darren Reed (Oct 19)
    - Re: future of IDS Doug Hughes (Oct 23)
    - Re: future of IDS Darren Reed (Oct 28)
    - Re: future of IDS Doug Hughes (Oct 28)
- Re: future of IDS Dominique Brezinski (Oct 19)
- Re: future of IDS Brent Huston (Oct 19)
- RE: future of IDS Choi, Byoung (Oct 19)
- Re: future of IDS Dex Wycoff (Oct 19)
  - RFC blitzkreig server dreamwvr (Oct 23)
- Re: future of IDS Vern Paxson (Oct 19)

(Thread continues...)