Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.

From: zippy pinhead (john_the_gripper@yahoo.com)
Date: 06/28/02 

Date: Fri, 28 Jun 2002 01:24:01 -0700 (PDT)
From: zippy pinhead <john_the_gripper@yahoo.com>
To: Tom D'Aquino <tom_daquino@yahoo.com>

Tom D'Aquino wrote:
> <...>
> Is this how the rest of the IDS community defines a
false positive?

I agree, their nomenclature is confusing. "False
positive" should refer only to alerts triggered by
"normal" traffic. Attacks are not normal, even if it
is the thousandth Nimda scan you've seen. It's
misleading to lump unsuccessful attacks into the same
category as, say, trigger strings inadvertently
embedded in legitimate e-mail.

> I don't know of a single NIDS product capable of
confirming whether or
> not the host was compromised. I think if an actual
attack was thrown at
> a host, the IDS should report on it.

I just heard about a new one (shipping 7/1) that
claims this capability:

http://www.psionic.com/products/clearresponse.html

Yes, as in Psionic PortSentry/LogCheck (oops, now
"LogSentry"). Read the ClearResponse glossies, then
go back & read the NWfusion article again.
Coincidence? Hmmmm ... that's mighty convenient
timing to be singing the same song. Looks like some
vendors want to relegate IDS to the post-compromise
mop-up department. That's not necessarily bad, but
some of us still hold out hope that an IDS can at
least occasionally help the admin recognize and block
an attack *before* it can succeed.

> "But Opus One's servers run OpenVMS, not Windows.
Even though it is
> trivially easy to figure out what operating system a
Web server uses, not
> one of the IDSs did so."
>
> Is nCircle the only company that has a device
capable of this?

If you wanted to remain stealthy, you could make some
very educated guesses about what OS is on both sides
of a tcp connection with fingerprinting tools like p0f
(http://www.stearns.org/p0f/README).

John

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Relevant Pages

  • RE: Intrusion Prevention
    ... Coverage what can it detect; this covers basic attacks, ... IDS purchase. ... While doing these implementations and while working in an IDS vendor I ... sometimes we're told that we cannot see the testing methodology upfront. ...
    (Focus-IDS)
  • RE: Changes in IDS Companies?
    ... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ...
    (Focus-IDS)
  • RE: Best Method(s) for signature verification.
    ... on this list - and other IDS lists - for the means to test their IDS ... When I say we use IDS Informer for our signature recognition testing, ... should point out that we do NOT use all the default attacks! ... (IIS attacks run against Apache web servers on Unix - "real ...
    (Focus-IDS)
  • Re: How to choose an IDS/FW MSS provider
    ... First, "recording everything" is not what IDS's were EVER meant for, ... others can create "audit" trails of every web request, every mail, every ... >detect attacks by inspecting layer 3 headers for prohibited IP ... >facility with an IDS or IPS deployed. ...
    (Focus-IDS)
  • Re: Alarming (was protocol analysis)
    ... Obviously, there are different ways to "detect" attacks, but John uses the ... no one should ever "rely" on any IDS for our ... As for Johns Metaphor of the motion sensor vs the pressure sensor, ... toward Intrusion Prevention as opposed to just Intrusion Detection. ...
    (Focus-IDS)