Re: Views and Correlation in Intrusion Detection

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David Markle writes:

> However, the greater question is how do you 1.) capture and 2.) disseminate
> the "sixth" packet from real traffic?

Differentiate.  But yes;  this is a nontrivial question, and one which
you probably correctly place beyond the scope of this discussion.

My point is that what constitutes innocuous is just as dependant on
context as what constitutes suspicious.  You observe that packets
matching j. random scan signature aren't very interesting unless the target
happens to be vulnerable to the thing being scanned for.  Fair enough.
My point is that a `clean' connection from given source suddenly becomes
interesting if the same source has sent a bunch of traffic that just
matched j. random signature.  Something that looks uninteresting coming
from a random point on the net is probably very interesting coming from
someone who has been scanning you.

Whether this correlation takes place via a visual grep done by an analyst
or by a table join done by your NIDS backend is really a separate issue.
It is the case that most contemporary NIDSes are pretty bad about doing
this sort of thing---but more's the pity for the NIDS, not for the
validity of the contention.


> Finally, you referenced IDMEF in your [-] footnote that was a bit confusing.
> Please elaborate on your comment.

It wasn't really germane to the main point, which is why I put it in a
footnote and labeled it as a random aside.  Anyway, the IDMEF is ostensibly
a general-purpose mechanism for exchanging data relating to intrusion
detection systems.  The situation I described is obviously a fairly
straightforward one which is nevertheless needlessly difficult to
describe in the IDMEF[0].  When I grumble about the IDMEF, I'm frequently
asked to supply examples of weaknesses in it;  it occurred to me when I
was composing my message that what I was describing was one such example.








- -spb

- -----
0       Owing to the structure of the model;  namely, a result of
        the decision to rely on a context-free grammar adept at expressing
        relationships involving aggregation and inheritance.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE+8l2aG3kIaxeRZl8RAoe7AKCRlzkZl1M2B9Kz8wmee2irAufuvgCg2qlO
4LDIMRWU1pyuznkCAOcH1IQ=
=CxcT
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------