IDS mailing list archives
Re: ssh and ids
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 22 Jun 2004 17:11:16 -0400
On Jun 22, 2004, at 9:56 AM, Adam Powers wrote:
Regarding: "Hacker busts into your network and sets up an SSH server, RNA picks it up and can let you know that it detected a new service and logs the flow data, etc."But you can't stop with simple "port profiling". StealthWatch has had this technology for years and we've found that the same problems you run into with IDS alerting is seen when attempting to truly profile and react to each new service entering the network. StealthWatch even takes it a step further and allows you profile outbound "client" traffic if you wish (in addition toserver ports). Still, this is a classic "needle in a haystack" problem.Sure, the data that identifies the attack is there, but it's useless becauseyou can't find it.
We're not seeking to detect the attack with RNA, that's what our IDS product is for, we're looking for the configuration management/security policy violation that's indicated by the observed activity, not looking for statistical anomalies or even protocol anomalies from within RNA.
Port profiling has to be augmented with other more intelligent techniques toexpose the important data.
RNA doesn't just do "port profiling". The detection of a new active port/service/protocol/server/etc may indicate activity that should be analyzed by our policy compliance analysis stage on our management console (now called the Sourcefire Defense Center). The result of this analysis can then be leveraged to provide whatever kind of response the user in interested in.
Sure, StealthWatch can be configured to alarm when a new port shows up, butthe real power of the port profiling is seen during the flow analysisprocess. StealthWatch uses the port profile data to determine how networktraffic should be analyzed. An example includes a DNS related ICMP PortUnreachables. When StealthWatch recognizes a host as being a DNS server, it immediately begins applying flow analysis algorithms that are suitable foranalysis of DNS traffic.
We also have flow analysis capability in addition to the capabilities we're developing for our IDS technology to bring forth a true target-based detection mechanism that can be leveraged on both the deterministic (IDS) proactive detection side and the nondeterministic (RNA) policy compliance side of the coin.
I believe that the original poster wanted to know if there was a system out there capable of isolating this kind of activity on the network for backdoor detection, sounds like both of our products can perform that function to some degree.
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Current thread:
- ssh and ids Runion Mark A FGA DOIM WEBMASTER(ctr) (Jun 18)
- Re: ssh and ids Adam Powers (Jun 21)
- Re: ssh and ids Martin Roesch (Jun 21)
- Re: ssh and ids Tony Carter (Jun 22)
- Re: ssh and ids Jason (Jun 22)
- Re: ssh and ids Adam Powers (Jun 22)
- Re: ssh and ids Martin Roesch (Jun 23)
- Re: ssh and ids Christian Kreibich (Jun 24)
- Re: ssh and ids Gary Flynn (Jun 21)
- Re: ssh and ids Frank Knobbe (Jun 22)
- Re: ssh and ids Bamm Visscher (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 23)
- Re: ssh and ids Frank Knobbe (Jun 22)
- <Possible follow-ups>
- Re: ssh and ids Ron Gula (Jun 21)
- RE: ssh and ids Wozny, Scott (US - New York) (Jun 21)
- RE: ssh and ids Omar Herrera (Jun 21)
- RE: ssh and ids Matthew F. Caldwell (Jun 22)
- RE: ssh and ids Frank Knobbe (Jun 22)