Re: Statistical Anomaly Analysis? (was: a bunch of things)

From: John S Flowers (jflowers@well.com)
Date: 03/18/02 

Date: Sun, 17 Mar 2002 20:37:51 -0800
To: Josh Gray <grayjr@cerias.purdue.edu>
From: John S Flowers <jflowers@well.com>

You said, " Basically my point is that your IDS is what you make of it.
If you're tired of seeing the same alerts every day then disable them."

The stated purpose of an Intrusion Detection System is to detect an
intrusion on your network environment. If any IDS cannot do this - the
task it was specifically designed to perform - I would say it is both
incorrectly named and also totally useless.

The notion of disabling attacks just because they annoy someone is
completely ridiculous. It's like poking your head in the sand and saying
"no one can see me, since I can't see them!" If someone actually cares
about the network they're protecting, this kind of approach to security
should be unconscionable.

Unfortunately, I see this attitude manifest itself every day when a
network administrator gets a page, looks at the pager, then cradles it in
the holster again and looks up, saying, "Just our IDS going off again..."

And then said, "If you know your network really well then you can tune
your IDS to look for things that shouldn't be happening."

This, on the other hand, I completely agree with. You should be familiar
enough with your network to tune your IDS to alert on anything that
violates your network policy. This might be a port scan or or access to a
sensitive server or someone using hotmail or an actual attack. In any case,
  detecting _everything_ that could be considered an intrusion is exactly
the point of an intrusion detection system.

This does not, however, mean "log all traffic on my network." If logging
all traffic is important to someone's environment, there are far better
tools for this than IDS technology, which has trouble even keeping up with
the wire.

// apologies for the soapbox comments in advance.
// i'm listening to Nine Inch Nails live album,
// which always makes me a little edgy. ;)

On Saturday, March 16, 2002, at 05:29 PM, Josh Gray wrote:

> comments inline...
>
> Xiaoyong Wu wrote:
>
> > I would consider a system with the false alarm rate tunable. I can
> > understand that everyone likes zero false alarm rate but different
> people
> > may have different endurance for receiving those false alarms. I am more
> > than agree that an Intrusion Detection System is no more than a burglar
> > system. But, Let's take a look at the commercial products for burglar
> > systems. We will notice that the false alarm rate for those systems is
> way
> > below current that for IDS'es. Yeah, there's still a long way for IDS!
>
> What do you consider a false alarm? I don't see a lot of false alarms
> personally. I see a lot of unsuccessful attacks that get alerted on,
> such as
> code red attempts to apache servers. The code red alerts fire because
> there was
> an attempt to infect a machine with code red, or to check if it has
> already been
> infected. This alert fires all the time. If you are overwhelmed by it
> then
> simply disable the signature. The reason people get overwhelmed with
> alerts is
> because they don't take the time to go through and eliminate the
> signatures that
> they don't want or need. If you don't have any web servers then disable
> all of
> the web related signatures. Most IDSs come with a large signature set by
> default because they have no idea what their deployment environment is
> like.
> It's up to the operators of the system to tune it. IDS vendors could
> simply not
> include a default signature set and that would eliminate the alerts you
> have to
> deal with. If they did that though everyone would start complaining that
> their
> IDS didn't detect anything.
>
> Basically my point is that your IDS is what you make of it. If you're
> tired of
> seeing the same alerts every day then disable them. If you want to catch
> new
> attacks play around with the signature set to detect more generic things.
> If
> you know your network really well then you can tune your IDS to look for
> things
> that shouldn't be happening.
>
> >
> > I am not sure how those home security systems are build but I would
> > believe they are taking more events into consideration. At one time I
> know
> > that cats trigger them pretty often:).
> >
>
> Actually, they are looking for less events. They are looking for a small
> set of
> very specific events, such as someone breaking your window or kicking
> your door
> down. If a home alarm system alerted every time someone knocked on your
> door or
> called and hung up you would probably be overwhelmed (or at least annoyed)
> with
> alarms by this system too. I know some police/fire departments will stop
> responding to these alarms if they go off to often.
>
>
> Josh
>

Relevant Pages

  • Re: Target based IDS review and discussion in Information Security
    ... This all began in 2000 when Marty lead the IDS development effort at ... > describes alerts as they pop out of IDS consoles. ... > Roesch names two other components as integral to target based NIDS: ... > an attack on a system that cannot succeed should be demoted. ...
    (Focus-IDS)
  • Re: IDS is dead, etc
    ... The majority of my outside IDS alerts I consider ... I really only pay attention to the internal IDS modules I have installed. ... Precisely Define and Implement Network Security and Performance Policies ... - Ensure Reliable Performance of Mission Critical Applications ...
    (Focus-IDS)
  • Re: which attacks will generate false positive or false negative?
    ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...
    (Focus-IDS)
  • Re: Recommended IPS signature set
    ... The most important factor in choosing IPS and IDS events is understanding what you are protecting and what it could cost you if one of your systems is compromised. ... an expert staff with available time may be able to process protocol anomaly alerts while a novice staff or one strapped for time may only have time to concentrate on vulnerability or exploit alerts. ... Then based on the criticality of the service and the severity of the event decide whether it should be enabled as blocking or not. ...
    (Focus-IDS)
  • Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and fa
    ... After getting the alerts generated by IDS how we distinguish true ... And What we do with True Positive alerts. ... If it's a false positive for an attack to which your environment is ... False negatives are troublesome. ...
    (Pen-Test)