Re: host-based ids evaluation
From: Detmar Liesen (counter.spy@gmx.de)Date: 08/15/02
- Previous message: Sandino Araico Sánchez: "Re: IPSec and IDS"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: Kohlenberg, Toby: "RE: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 Aug 2002 09:15:24 +0200 (MEST) From: Detmar Liesen <counter.spy@gmx.de> To: focus-ids@securityfocus.com
Okay, here are my 0.2$:
I agree with Toby's opinion on IDS terminology.
There are host-based IDSs and network-based IDSs
host based IDSs:
-> stack-based (i.e. looking into the TCP/IP packets that leave or enter the
host), these are sometimes referred to as "Network Node IDS" (NNIDS).
-> Logfile surveillance (classic HIDS)
-> File tampering (file system integrity checking)
-> kernel-level-protection (system call hooking or sort of sandboxing)
Of course you can combine all these capabilities in a single IDS, e.g.
RealSecure
combines all of those features except kernel-level-protection (correct me if
I am wrong).
network based IDSs:
-> classic "sniffing" NIDS (sniff off a hub, switch mirror port or network
tap)
-> Gateway IDS (GIDS, sometimes referred to as In-line IDS, ILIDS), which is
actually a layer 2 forwarding device (forwards all traffic from one NIC to
the other), most often combined with active blocking mechanisms when an
intrusion is detected.
As to the topic "HIDS evaluation":
I have indeed run tests with Nessus, snot and lots of other proggies, both
for NIDS and HIDS evaluation.
It turned out that not all of these progs are good for HIDS evaluation in
general - you wont see anything if nothing enters the machine. If the program
does things your OS or application does not care about, it will not log these
activities.
Another problem are the Nessus dependency checks, as mentioned before, which
prevent most attacks from being performed if the target application does not
"fit", e.g. if you want to run an IIS attack against an i-Planet server you
wont have any luck. :)
Launching an SSH attack against a server that does not run SSH will not work
either.
Snot attacks:
Snot attacks do not establish any valid connection, so you will not see any
alerts on a host-based IDS - except RealSecure ServerSensor 6.5, which is a
hybrid stack-based HIDS and sees a lot of those attacks, though I do not know
if this is still true for RealSecure 7.
What I found most interesting was that tools like netcat could spawn a shell
and bind it to a certain TCP port without any of the tested HIDS noticing
this. :(
This means, if the system was already compromised _before_ you installed the
IDS, you will possibly not notice the backdoor. BTW: To my knowledge, most
AV tools do not find netcat, as well, so probably you will never find it.
I was able to log into a Windoze machine that was running a netcat server
using a Linux box and get a cmd prompt without password immediately.
If the admin was logged in on the Windoze box (W2K or NT) I could perform
whatever action I wanted to perform: creating or deleting files, starting
programs on the Windoze box, etc...
Of course this was all done in a small testing environment and will be
harder to accomplish in a real world.
Cheers,
Detmar
>All opinions are my own and in no way reflect the views of my employer.
>
>I'd recommend against trying to use a vulnerability scanner to try
>and test HIDS. A decent HIDS product will not necessarily light up
>at a Nessus scan since a successful attack has not completed. You
>would have to write custom Nessus scripts if you want it to complete
>an attack. HIDS are best tested by performing actual attacks against
>the system you have the HIDS on.
>
>Toby
>
>> -----Original Message-----
>> From: Andrew Plato [mailto:aplato@anitian.com]
>> Sent: Monday, August 12, 2002 5:19 PM
>> To: glvalecchi@hotmail.com; focus-ids@securityfocus.com
>> Subject: Re: host-based ids evaluation
>>
>>
>> >HI all,
>> >I'm an IDS newbie, I've to evaluate some host-based IDS products.
>> >I need some advice about how to setup a fisible testbed.
>>
>> What HIDS are you evaluating...out of curiosity? There are
>> not very many out there.
>>
>> >I would reproduce some attacks from an attacker machine
>> towards two victim
>> >machines (winnt and solaris) on which I've to install ids sensors:
>> >I need some pointers to find some attack/evaluation tools to
>> exec towards
>> >the victim machine inside my testbed.
>>
>> As for attack tools, there are so many we could spend all
>> day. But a good open-source tool is Nessus. It can run tons
>> of scans against a machine and make most IDS's light up like
>> a Christmas tree. Another swell tool is Retina from eEye
>> Digital. You can download a free-eval copy to bang away at
>> your HIDS and watch them go.
>>
>> These are intended as vulnerability scanners, I should note.
>> But any decent IDS should pick up their scans as events.
>>
>> >I also know something about IDSwakeup/snot/stick tools; but
>> AFAIK they're
>> >for network ids evaluation.
>> >Is there something out there (similar to it) for host-based ids ?
>> >it could be very useful to me if you would point me the right way.
>>
>> All of these tools will work on a HIDS. Just configure their
>> scans to be pointed specifically at the system where the HIDS
>> is running.
>>
>> ------------------------------------
>> Andrew Plato, CISSP
>> President / Principal Consultant
>> Anitian Corporation
>>
>> (503) 644-5656 office
>> (503) 201-0821 cell
>> http://www.anitian.com
>> ------------------------------------
>>
-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net
- Previous message: Sandino Araico Sánchez: "Re: IPSec and IDS"
- Maybe in reply to: gianluca valecchi: "host-based ids evaluation"
- Next in thread: Kohlenberg, Toby: "RE: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
