WebApp Sec mailing list archives
Re: Notes from CISSP class with Dr. Eric Cole
From: Garth Somerville <therealgarth () yahoo com>
Date: Tue, 4 Oct 2005 08:27:51 -0700 (PDT)
--- Saqib Ali <docbook.xml () gmail com> wrote:
.... The notes are available at: http://www.xml-dev.com/blog/?action=viewtopic&id=150
Hello Saqib: Thanks for posting your notes, I think they are well done and quite useful. However, I would like to clarify the IDS notes a bit. Under "IDS Events Defined," you make a great observation about IDS, but classifying all traffic as either "Attack Traffic" or "Normal Traffic" can be misleading as it relates to the next section, "IDS Methods of Operation." Not all abnormal traffic represents an attack, and not all normal traffic represents authorized activity. Also, positioning anomaly detection as being both default deny and more secure could be misleading. Detection systems are usually classified as either anomaly based or policy based. Anomaly based systems classify traffic as either being normal or abnormal and operate on the assumption that what is abnormal is likely to be malicious or unauthorized. This is sometimes true but frequently false. Since these systems do not directly test for either authorized or unauthorized traffic, it is not clear that there is any advantage to thinking of them in terms of being default-deny or default-allow models (in any case you could argue it either way). On the other hand, policy based systems are either misuse detection systems (default allow) or specification based systems (default deny). Furthermore, misuse systems can be either state driven or stateless. So it is quite possible to have a "pattern matching" IDS that uses a default deny model by matching traffic against rules that describe allowable activity. This seems to contradict the classification in your notes. Anomaly and policy based systems each have advantages and disadvantages. A misuse system like snort can detect known exploits regardless of whether the traffic would appear normal or abnormal by some measure, it is likely to generate fewer false positives, and the alerts generated provide precise information about what is claimed to have been detected. An advantage of anomaly based systems is their potential to detect 0-day exploits or other unauthorized activity not previously identified (or codified) as such, and they do not require constant updating of signatures or rules. On the other hand, they may tend to generate more false positives and their alerts will generally require deeper investigation to understand if what has been detected represents unauthorized or simply unusual activity. The reason I think this is worth bringing up on this list is that it is often overlooked that all of these ideas can, and have been applied at both the application level and the level of authenticated users. That is why I emphasize "unauthorized traffic" over "attack traffic" because not all unauthorized activity consists of exploits of vulnerabilities in the "hacker" sense, and the same techniques can be applied to detecting AUP violations, fraud, and misuse conducted via applications. Cheers, -Garth Somerville __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
Current thread:
- Notes from CISSP class with Dr. Eric Cole Saqib Ali (Oct 02)
- Re: Notes from CISSP class with Dr. Eric Cole Garth Somerville (Oct 04)
- Re: Notes from CISSP class with Dr. Eric Cole Saqib Ali (Oct 05)
- RE: Notes from CISSP class with Dr. Eric Cole Lyal Collins (Oct 05)
- Re: Notes from CISSP class with Dr. Eric Cole Saqib Ali (Oct 05)
- <Possible follow-ups>
- RE: Notes from CISSP class with Dr. Eric Cole Harley David (Oct 10)
- RE: Notes from CISSP class with Dr. Eric Cole Lyal Collins (Oct 10)
- RE: Notes from CISSP class with Dr. Eric Cole Harley David (Oct 11)
- RE: Notes from CISSP class with Dr. Eric Cole Lyal Collins (Oct 11)
- RE: Notes from CISSP class with Dr. Eric Cole Michael Krzeszkowski (Oct 11)
- RE: Notes from CISSP class with Dr. Eric Cole Lyal Collins (Oct 11)
- Re: Notes from CISSP class with Dr. Eric Cole danew123 (Oct 11)
- Re: Notes from CISSP class with Dr. Eric Cole Eoin Keary (Oct 11)
- Re: Notes from CISSP class with Dr. Eric Cole dreamwvr (Oct 11)
(Thread continues...)
- Re: Notes from CISSP class with Dr. Eric Cole Garth Somerville (Oct 04)