IDS mailing list archives
Re: IDS detection approaches
From: Liran Cohen <theog () rct co il>
Date: Sun, 14 Oct 2007 17:30:31 +0200
I think blocking packets based on scoring of the source is a very bad way to go, just like spam it will result in a lot of false positives, and actually lead to a "selective" internet which I am sure many dont want the thing is by scoring you cannot just decide a subnet is likely to have attacks originating from it thus block that subnet (like people do with e-mails) I happened to see a lot of e-mails servers which were blocked due to CBLs and such and were in fact clean servers but removing such an entry from the CBLs is a very long tiring process resulting in servers such as hotmail which many dont use because it blocks many subnets. I would hate to see the same happen with IDS i.e. trying to surf the internet and getting a "your page has been blocked due to IP black listing from your subnet" because someone decided to perform an attack from my subnet.
My 2 cents.... ;) 'Merigoth' wrote:
FF, I believe IDS placement should depend upon it's purpose. The purpose of the IDS should determine where the IDS is placed. For example, an IDS whose purpose is to identify all possible inbound threats for firewall tweaking (or returning traffic back to the community ;]) should be placed outside the firewall. A production protection IDS would probably be better placed inside the firewall. Defense-in-depth and architecture design are two key points to remember. As far as answering the initial question, one new trend is "vector-based" modeling. Take a look at http://www.trustedsource.org/, and the trustedsource query. Plug in a few IP addresses and see. (NOTE: I do not work for secure computing.) The simplistic idea is a network space, 192.168.1.x (for example), is given a "credit card" score (or trust-worthiness score). This "trust-worthiness" score is a determination of the network space to be secure and remain secure at a given point in time. If the IP address or network space is flagged as malicious, a firewall admin may wish to block all traffic to/from that IP space. Remember that saying about blocking email based upon country codes/location/email language due to the likelihood of spam. This takes that idea and makes it a little more useful, in my opinion. This is possible because it is an aggregation of flow data, signature basedand heuristic/anomaly detection IDS capabilities.Partially referring back to the initial paragraph and what others have mentioned, a company needs a blended IDS system. Signature-based systems require dedicated analysts to maintain, and can quickly absorb storage space on large links. Flow data, usually coming from routers, can provide important information. However, it usually requires an outside trigger (like a trustworthiness score or an IDS event) to research. One of the key benefits of flow data is the amount of traffic passed for an event. An IDS system may not capture the full stream or storage may be an issue. Flow data can record the totally bytes passed, which can be in the 10s of megs of data, in the space of a few hundred bytes. So the conversation turns back into defense-in-depth and architecture design. I think application layer / "deep packet analysis" is also starting to take off, as well. Hopefully, this helps snort user. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of frankfrydrych () gmail com Sent: Thursday, October 04, 2007 4:30 PM To: focus-ids () securityfocus com Subject: Re: IDS detection approaches Hola, I would completely go with a signature based IDS. Anomaly based IDSwill not give you the greatest results.For signature base I highly recommend SNORT. It is probably one of the best IDS out there. Now I'm not just saying this as a "ooh open source is the best". I truely believe this. I actually use to be a huge Cisco buff and just dealt with Cisco IDS. However, at my current job I am a security analyst and have to analyze events from Cisco, IIS, Juniper, etc, and SNORT beats them all. Mainly for the fact that you are able to see the packet payload and are able to make the decision if something is malicious based on the actual payload and not just the signature that is triggered (like some IDS). Also, when a new threat emerges usually SNORT users will create a signature to combat the threat. The other vendors create the signatures for you and it usually ends up to be like 3 months after the threat was actually a realistic threat. And on top of it the vendor signatures usually give out huge amount of false positves. Then again, an IDS is only as good as who tunes it. If you take A NY IDS and turn it on in a production network you will have so many false positives I garuntee you will miss actual threats. Every IDS (including SNORT) has to be tuned for the production network it is on. Finally, make sure to place the IDS behind the firewall. If you place it in front of the firewall you will receive so much traffic that it is just not valuable data. You have a firewall, so let the firewall do its job and block the already known bad activity, and catch what gets through the firewall with a IDS. -FF ---------------------------------------------------------------------- -- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.---------------------------------------------------------------------- -- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.------------------------------------------------------------------------
-- Liran Cohen http://www.rct.co.il http://www.dir.rct.co.il ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- RE: IDS detection approaches, (continued)
- RE: IDS detection approaches Campa, Albert R. (Oct 05)
- Re: IDS detection approaches Stefano Zanero (Oct 10)
- Re: IDS detection approaches p1g (Oct 15)
- Re: IDS detection approaches frankfrydrych (Oct 05)
- Re: IDS detection approaches Gary Halleen (Oct 09)
- Re: IDS detection approaches Randal T. Rioux (Oct 12)
- Re: IDS detection approaches Gary Halleen (Oct 12)
- Re: IDS detection approaches Gary Halleen (Oct 09)
- Re: IDS detection approaches jean-philippe luiggi (Oct 09)
- Re: IDS detection approaches Adam Powers (Oct 09)
- RE: IDS detection approaches 'Merigoth' (Oct 09)
- Re: IDS detection approaches Liran Cohen (Oct 15)
- Oracle XDB FTP Kanagasingham, Prathaben (Oct 26)
- RE: IDS detection approaches Campa, Albert R. (Oct 05)
- RE: IDS detection approaches Nelson Brito (Oct 09)
- Re: IDS detection approaches Sec urity (Oct 09)
- RE: IDS detection approaches Nelson Brito (Oct 10)
- Re: IDS detection approaches Sec urity (Oct 10)
- Message not available
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Jason (Oct 12)
- Re: IDS detection approaches Sec urity (Oct 09)