RE: host-based ids evaluation

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 08/16/02


From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
To: "'Detmar Liesen'" <counter.spy@gmx.de>, focus-ids@securityfocus.com
Date: Thu, 15 Aug 2002 15:06:33 -0700

All opinions are my own and in no way reflect the views of my employer

> -----Original Message-----
> From: Detmar Liesen [mailto:counter.spy@gmx.de]
> Sent: Thursday, August 15, 2002 12:15 AM
> To: focus-ids@securityfocus.com
> Subject: Re: host-based ids evaluation
>
<lots of good stuff snipped>
>
> What I found most interesting was that tools like netcat
> could spawn a shell
> and bind it to a certain TCP port without any of the tested
> HIDS noticing
> this. :(
>
> This means, if the system was already compromised _before_
> you installed the
> IDS, you will possibly not notice the backdoor. BTW: To my
> knowledge, most
> AV tools do not find netcat, as well, so probably you will
> never find it.

This is why host firewalling should be included as a critical piece of
the layered defense of a system. Either that or have a tool that will at
the very least track netstat output and notice changes.
Ideally though you should have a list of tools that are allowed to talk to
the network that is updated frequently and modified to deny access when the
network monitoring IDS for that host sees something suspicious.

What's that you say? My expectations are too high? ah well, maybe someday
right?

Toby