Re: Firewall Tester 0.6

From: Bennett Todd (bet@rahul.net)
Date: 04/13/02 

Date: Sat, 13 Apr 2002 11:21:26 -0400
From: Bennett Todd <bet@rahul.net>
To: "Marcus J. Ranum" <mjr@nfr.com>

2002-04-11-11:48:40 Marcus J. Ranum:
> [...] We had a case where a tester played snort-sig fragments at
> an NFR and the NFR didn't generate a single false alarm. [...]
> A lesser system would have generated a ton of false alarms and
> irritated the heck out of the administrator, which would have been
> the wrong thing to do because there was no actual attack or even
> threat.

That statement carries an assumption to it. It sounds sorta
reasonable in the case where an IDS is placed outside the firewall
where it can see all the yammering of all the folks on the internet,
and where you're unconcerned about folks probing your security
perimeter.

Depending on local policies and on sensor placement, firing a wad of
signatures across the bow of the IDS could in fact be an actual
incident even if there were no software attack in progress.

E.g. consider IDSes placed inside the innermost firewall perimeter,
placed to detect incoming attacks that have succeeded in making it
through the firewalls, and outbound attacks of any sort. There the
only thing I'd call a real "false alarm" would be something like the
noted "AAA..." shellcode sled pattern match. Someone injecting a
stream of signatures through this perimeter is performing a security
probe of some sort, and nobody with access to that perimeter is
permitted to do any such thing --- except of course for the firewall
admins, one and the same as the recipients of the IDS alarms.

Given that sort of sensor placement and policy, any unexpected
alarms coming out of an IDS do reflect an incident, even if it's
just a signature stream.

-Bennett

Relevant Pages

  • Re: Online Vietnamese Keyboard.
    ... Vi?t online v?iwww.vnkeys.com. ... Your firewal has given false alarm. ... Get rid of that firewall please! ...
    (soc.culture.vietnamese)
  • RE: What is false alarm rate and false positive rate?
    ... short answer is "neither," but it comes down to this question: If the IDS ... sees an OpenSSL attack go towards an IIS server that isn't using OpenSSL, ... that a false alarm or not? ... What is false alarm rate and false positive rate? ...
    (Focus-IDS)
  • Re: Statistical Anomaly Analysis? (was: a bunch of things)
    ... " Basically my point is that your IDS is what you make of it. ... If you're tired of seeing the same alerts every day then disable them." ... intrusion on your network environment. ... >> I would consider a system with the false alarm rate tunable. ...
    (Focus-IDS)
  • Re: Protecting your router.
    ... > Both a router and a firewall are capable of looking after ... > ability to log traffic and so provide primitive IDS in any ... > perimeter security devices have missed. ...
    (Focus-IDS)
  • Re: Statistical Anomaly Analysis? "Was [more specific] Signaturevs. Protocol Analysis "
    ... > I would consider a system with the false alarm rate tunable. ... there's still a long way for IDS! ... The reason people get overwhelmed with alerts is ... Most IDSs come with a large signature set by ...
    (Focus-IDS)