IDS mailing list archives
Re: Reputation based IPS/IDS - Cisco's tested
From: Frank Knobbe <frank () knobbe us>
Date: Sat, 22 Aug 2009 12:34:58 -0500
On Tue, 2009-08-11 at 17:49 +0200, Joel Snyder wrote:
Some of you may remember our discussion back in November, 2008 about using reputation services in IPS. (search for subject line "Email reputation for inout to IDSs?" if you want to read it).
From the article: "This basic use of reputation filters isn't new, but what's interesting is that Cisco will use this reputation data to change the Risk Rating of security events identified by the IPS. In other words, an event linked to a 'bad' IP address will result in an even higher Risk Rating." Isn't this backwards? The risk to a system of an attack coming from an known attacker compared to an unknown attacker is the same. Matter the fact, I'd like to argue the opposite. Since the known attacker has already been identified (and can be blocked), the Risk Rating of the alert for that address should be lower. Unknown attackers should receive a high Risk Rating so they stand out and can be addressed first (like that laptop in the article's example). Now, I understand that the *assurance* of the alert is higher, since the attacker has already been verified as hostile, so the likelihood of a false positive from that address is lower. But I think classifying the known attackers as high risk so the user focuses on those first is a misguided step in the wrong direction. I can already envision the evasion scenario: Flood your target with SQL injections attacks through known open proxies (so they receive a high Risk Rating), and slip in the real attack from an unknown IP (classified now as ... not-so-high risk). Which would you be more concerned about? IP intelligence within the IDS console is of course of great benefit. (we've been doing this for years. Then again, we've been using IP reputation and blocking known evil IP's in a distributed fashion for years as well...). Any IP intel for the analyst in the console is a good thing. I'm just not sure that *interpreting* that IP intel on behalf of the analyst is the right thing to do. Thoughts? Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Reputation based IPS/IDS - Cisco's tested Joel Snyder (Aug 11)
- Re: Reputation based IPS/IDS - Cisco's tested Frank Knobbe (Aug 24)
- Re: Reputation based IPS/IDS - Cisco's tested Gautam Singaraju (Aug 24)
- Re: Reputation based IPS/IDS - Cisco's tested Frank Knobbe (Aug 24)