RE: host-based ids evaluation

From: Andrew Plato (aplato@anitian.com)
Date: 08/16/02 

Date: Thu, 15 Aug 2002 21:35:31 -0700
From: "Andrew Plato" <aplato@anitian.com>
To: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>, <glvalecchi@hotmail.com>, <focus-ids@securityfocus.com>

I don't know, Toby. On one hand, there is some logic to what you say. A HIDS should only warn of a POTENTIAL attack or scan if a scanner like Nessus hits it.

But on the other hand, pointing scanners at IDSs has some value as well. Plenty of not-to-bright hackers will fire up their Nessus scanner and go on a hunt for vulnerabilities. And an IDS should alert about this activity. In this sense, the scanner can offer some value in testing your HIDS and what kinds of responses it generates. BlackICE (for example) is pretty noisy if you run any scanner against it. And it will identify most common scans - like Nessus, Retina (nmap), etc. as those types of scans.

However, you are correct that obtaining some actual intrusion scripts or tactics can be more enlightening. However, this would require some rolling around in the hacker mud, so to speak.

We did some docs awhile back for a company called Cenzic (formerly Click-to-Secure). They had an interesting security scanning tool that allowed you to basically graft intrusion modules together as well as write your own. I had fun making our IDSs go berserk by grafting all sorts of intrusion scripts together and then blasting them out against a server. Its a fun tool.

------------------------------------
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

(503) 644-5656 office
(503) 201-0821 cell
http://www.anitian.com
------------------------------------

> -----Original Message-----
> From: Kohlenberg, Toby [mailto:toby.kohlenberg@intel.com]
> Sent: Wednesday, August 14, 2002 3:25 PM
> To: Andrew Plato; glvalecchi@hotmail.com; focus-ids@securityfocus.com
> Subject: RE: host-based ids evaluation
>
>
> All opinions are my own and in no way reflect the views of my
> employer.
>
> I'd recommend against trying to use a vulnerability scanner to try
> and test HIDS. A decent HIDS product will not necessarily light up
> at a Nessus scan since a successful attack has not completed. You
> would have to write custom Nessus scripts if you want it to complete
> an attack. HIDS are best tested by performing actual attacks against
> the system you have the HIDS on.
>
> Toby
>
>

Relevant Pages

  • RE: host-based ids evaluation
    ... I'd recommend against trying to use a vulnerability scanner to try ... A decent HIDS product will not necessarily light up ... at a Nessus scan since a successful attack has not completed. ... >>I'm an IDS newbie, I've to evaluate some host-based IDS products. ...
    (Focus-IDS)
  • R: host-based ids evaluation
    ... If know that the host are running some services, if my NIDS looks traffic to ... other services, it'll raise an alert. ... Actions made to detect an attack actively, ... I think that an HIDS is a IDS that look attacks at host level (so you need ...
    (Focus-IDS)