RE: Signature vs. Anomaly- again (was Re:: IDS Players?)

From: Bill Royds (sf-lists@royds.net)
Date: 06/20/02 

From: "Bill Royds" <sf-lists@royds.net>
To: "Vitaly Osipov" <witt@iol.ie>, "Greg Shipley" <gshipley@neohapsis.com>
Date: Wed, 19 Jun 2002 19:15:11 -0400

The real problem is any significant server farm is not going to have all servers patched to the latest great path revision. If they are doing anything non-standard (and therefore useful and competitive), they will need extensive regression testing before new patches are put into production.
  Thus an IDS that warns of attacks so one can
  1/ Repel them with shunning
  2/ Accelerate the patch upgrade because your servers are now more vulnerable
  3/ Stop the vulnerable application until patches are available.
often makes good business sense. Organizations don't have magic money to pay sysadmins to apply patches while they lose revenue with offline servers. They need good people to evaluate the continually evaluate the risk of each IT decision and determine the optimal security choice. Often the real anomaly detection is an IDS that has rule set "alarm on anything other than http/https and DNS to this box". The signatures are there to classify the traffic after the basic anomaly detection (this traffic doesn't belong here) to help administrators properly handle the situation. Magic AI hardly ever beats sound knowledge of what your traffic should be like. Network GREP is one of the best things to understand your traffic.

-----Original Message-----
From: Vitaly Osipov [mailto:witt@iol.ie]
Sent: Wed June 19 2002 14:21
To: Greg Shipley
Cc: focus-ids@securityfocus.com
Subject: Re: Signature vs Anomaly- again (wasRe: IDS Players?)

<snip>

(I know the following is rather useless topic, so everybody feel free to
disregard the following paragraph :) )

I tend to believe that network grep IDS are not very useful things - I do
not care if somebody tries a *known* exploit against my network (if I know
the network servers/devices are patched) - may be I just do not feel the
need to punish them :). They might be useful in very large networks as a
control tools, helping find out admin's mistakes. If somebody manages to
come up with tools that will find 0-day things, it will be much more useful
at least for me... Do you know which signature proved most useful in days of
Code Red? The one that was matching traffic from xxx.xxx.xxx.xxx:80 for a
string "file(s) copied". The match signalled that server was going to be
compromised even before anybody heard of actual exploit.

Regards,
Vitaly.

Relevant Pages

  • Why does XP establish HTTP connection when browsing network shares?
    ... I've noticed some strange behavior from our IDS. ... Windows XP to our network, I've been seeing connection attempts to port 80 ... on servers not running HTTP daemons. ...
    (Focus-Microsoft)
  • Re: Dcidag errors
    ... Port blockage between servers ... Other sorts of networking issues (lack of connectivity between the points ... These errors are typically a result of a network connectivity issue of some ... > replicating this nc. ...
    (microsoft.public.windows.server.active_directory)
  • Re: I need Job Blobb
    ... > Windows and Network administratation. ... > In a job I would like to administrate servers, ... > Title: ISP Network Administrator ... > o Building, installation, configuration and tuning ...
    (microsoft.public.cert.exam.mcse)
  • Re: I need Job Blobb
    ... > Windows and Network administratation. ... > In a job I would like to administrate servers, ... > Title: ISP Network Administrator ... > o Building, installation, configuration and tuning ...
    (microsoft.public.cert.exam.mcse)
  • RE: Changes in IDS Companies?
    ... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ...
    (Focus-IDS)