Firewall Wizards mailing list archives
Re: future of IDS
From: "Stephen P. Gibbons" <steve () aztech net>
Date: Mon, 19 Oct 1998 22:44:15 -0700
Crispin Cowan wrote:
"Stephen P. Gibbons" wrote:For example, wouldn't it be neat if there was a standardized, IDS-aware, and reliable way for applications to indicate that "Required authentication failed for resource X, reason Y" "Reason Y" is information that won't necessarily be available to a passive IDS, but can be used by an IDS in determining what action to take in response: extra logging, shunning, whatever.Wouldn't it be neat if there was an IDS standard such that StackGuard-protected programs could complain about stack smashing attempts such that someone would listen?
This would be an obvious "next step" to what I was proposing.
IMHO, niether syslog nor SNMP "cut it" for this purpose.I'm currently using syslog for this purpose. I agree, I'd rather use something else (or at least something in addition to syslog).
IDS alert messages have lots of interesting characteristics.I think that inter-node IDS alerts need to be as secure (or more secure than) the system audit logs.
The IDS would not have to be taught how to decipher each new protocol, it would instead understand the standard "Hey, IDS, here's an auth-failed message, take note!"The difficulty seems to be that there are many kinds of events to be communicated via such a protocol. For instance, some events are merely suspicious ("that looks like a similar pattern to an attack I once saw"), some events are very suspicious ("that looks EXACTLY like an attack pattern I know about"), some events are dead certain (StackGuard intrusion events), and some events have no significance at all unless taken in context (port scanning). A protocol that only allows you to report authentication failure isn't enough.
I chose the "auth failed" example as the most obvious hook into an IDS, it wasonly an example. Pattern detection is probably best performed (relatively) centrally (with localized short-cuts.).
The CIDF effort (http://olympus.cs.ucdavis.edu/cidf/) is trying to come to a consensus on such a protocol so that a wide variety of IDS instruments can cooperate to build something that can actually be described as an intrusion detection *system*.
Yeah, the CIDF stuff seems relatively reasonable, if overly complexicated.
Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ Support Justice: Boycott Windows 98
-- Steve
Current thread:
- RE: future of IDS, (continued)
- RE: future of IDS Tupshin Harper (Oct 16)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS John Ladwig (Oct 23)
- RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- Re: future of IDS Vern Paxson (Oct 16)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Crispin Cowan (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Darren Reed (Oct 19)
- Re: future of IDS Doug Hughes (Oct 23)
- Re: future of IDS Darren Reed (Oct 28)
- Re: future of IDS Doug Hughes (Oct 28)
- RE: future of IDS Tupshin Harper (Oct 16)
- RFC blitzkreig server dreamwvr (Oct 23)