Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network.
From: tHe fuJi (fujix2@hotmail.com)Date: 06/28/02
- Previous message: zippy pinhead: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Michal Zalewski: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Craig H. Rowland: "RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Reply: Michal Zalewski: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "tHe fuJi" <fujix2@hotmail.com> To: "Tom D'Aquino" <tom_daquino@yahoo.com>, "Andrew Plato" <aplato@anitian.com>, <focus-ids@securityfocus.com> Date: Fri, 28 Jun 2002 01:12:28 -0500
? I
> don't know of a single NIDS product capable of confirming whether or not
> the host was compromised.
If the IDS has a protocol analysis engine then a trained analyst could
determine weather the host was compromised or not. I agree false alarms
suck and make most IDS's too cumbersome to be helpful unless a skilled
analyst is on site. This doesn't seem to happen on a full time basis too
often at non-G-man sites. Good article though snort or snort based
solutions (demarc pure secure) have never failed on me with comparable
traffic.
-fuJi facTor
----- Original Message -----
From: "Tom D'Aquino" <tom_daquino@yahoo.com>
To: "Andrew Plato" <aplato@anitian.com>; <focus-ids@securityfocus.com>
Sent: Thursday, June 27, 2002 8:01 PM
Subject: Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to
impress during the monthlong test on a production network.
> Hi all,
>
> Regarding this article, I found the following sections rather interesting:
>
> "We considered an attack to be any compromise of any computing resource on
> the "protected" network. That resource could be bandwidth, disk space, a
> printer, a password file - basically, anything for which access is not
> explicitly authorized. This is not the same as an attempted attack; if
> there was no compromise, then the IDS is essentially reporting on a
> vulnerability that doesn't exist. During the test, most of the ISPs
> generated so many false positives that it was difficult to spot reports of
> real attacks."
>
> Is this how the rest of the IDS community defines a false positive? I
> don't know of a single NIDS product capable of confirming whether or not
> the host was compromised. I think if an actual attack was thrown at a
> host, the IDS should report on it.
>
> "But Opus One's servers run OpenVMS, not Windows. Even though it is
> trivially easy to figure out what operating system a Web server uses, not
> one of the IDSs did so."
>
> Is nCircle the only company that has a device capable of this?
>
> "Second, most IDSs don't offer a means of grouping hosts or networks
> together under some easily remembered nickname. The exception is NFR,
> which let user-defined groups be set up using its N-code programming
> language."
>
> Isn't this what the "var" command is for in Snort's config file?
>
> Thanks for the input.
> Tom D'Aquino
>
> --- Andrew Plato <aplato@anitian.com> wrote:
> > In-Reply-To: <000201c21bdd$5843dcc0$4c01a8c0@MINE>
> >
> >
> > >Network World Fusion News has a comparison of 8 IDS's. This is an
> > >interesting read.
> > >
> > >http://www.nwfusion.com/techinsider/2002/0624security1.html
> >
> > Great report.
> >
> > Next time they should do RealSecure on one of my Win2k appliances. I
> > have
> > RealSecure Sentry and Guard Appliances out at customer sites on Win2k
> > that
> > have been running error free for months. (sorry for the shameless plug)
> >
> > This also illustrates a dark side of IDSs that virtually no vendor will
> > bother to tell you. IDSs require a lot of tuning and tweaking before
> > they
> > can become an integral part of your network. And there is always a
> > certain
> > percentage of events that are false positives. The only way to get a
> > feel
> > for this is to deploy and baseline those systems. Something they rarely
> > bother to mention in the documentation you get.
> >
> > ------------------------------------
> > Andrew Plato, CISSP
> > President / Principal Consultant
> > Anitian Corporation
> > http://www.anitian.com
> > ------------------------------------
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
- Previous message: zippy pinhead: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- In reply to: Tom D'Aquino: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Michal Zalewski: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Craig H. Rowland: "RE: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Next in thread: Milletary, Jason: "RE: Gateway IDS"
- Reply: Michal Zalewski: "Re: Crying wolf: False alarms hide attacks : Eight IDSs fail to impress during the monthlong test on a production network."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
