R: host-based ids evaluation
From: Gianpiero Porchia (gianpiero.porchia@atsweb.it)Date: 08/16/02
- Previous message: Kohlenberg, Toby: "RE: IPSec and IDS"
- In reply to: Gian Luca Valecchi: "Re: host-based ids evaluation"
- Next in thread: Andrew Plato: "Re: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gianpiero Porchia" <gianpiero.porchia@atsweb.it> To: "IDS Focus" <focus-ids@securityfocus.com> Date: Fri, 16 Aug 2002 14:42:14 +0200
Hi,
Detmar wrote:
>This means, if the system was already compromised _before_ you installed
the
>IDS, you will possibly not notice the backdoor. BTW: To my knowledge, most
>AV tools do not find netcat, as well, so probably you will never find it.
I don't know why a VA tool can't find a netcat server. If you know your
hosts, you know which services are running on it, so if you find a strange
service on it (example port 31337), you have to investigate. It's hard to
find a netcat communication using a NIDS like snort, but if you use another
one, that is looking for associations between host an services, you can do
the job.
Example, if I have a list like this:
192.168.0.5, 80,25,22
192.168.0.6, 21,22
If know that the host are running some services, if my NIDS looks traffic to
other services, it'll raise an alert.
Roy Lo wrote:
>NIDS = Proactive
> HIDS = Reactive
I think the definitions are (the focus is on detecting attacks):
Proactive: whatever action done to prevent an attack (VA tools);
Active: Actions made to detect an attack actively, ie depends on the
state you are on (A-box of CIDF);
Reactive: React to an attack, example logging off, SYN-RST sending etc
(C-box of CIDF).
Greg wrote:
>Just to add to what Andrew, Toby and you have stated, people should note
>that most of the vuln scanners these days don't actually exploit the
>service in question. They may poke at it, or they may go a step farther,
>but until they actually exploit it, IMHO, they aren't truly attacking
>anything.
What do we need, to detect attacks, or to detect probes. I guess that we
need both, but at different levels of alert, ie a low level alert for a
probing, and high level for a successful attack (red alert).
I think that an HIDS is a IDS that look attacks at host level (so you need
an HIDS for every host that you eant to protect).
So an HIDS can be a NNIDS, a log analyzer, a file integrity checker, a
policy manager, etc.
Using a network tool like Nessus, you can test some of this subsystems,
example for a cgi-scanning, you can obtain alerts from the NNIDS and the log
analyzer, but not from FIC, and maybe not from policy manager.
When I test my HIDS, I need to know how it work, and if it can do a
"detection-in-depth", ie if I can detect an attack, using more than one
subsystem, so it can detect the attacks using more perspectives.
Bye
- gianpiero
Ing. Gianpiero Porchia
Security Engineer
ATS - Advanced Telecom Systems
Designing, Testing, Managing Network Quality
Via Salgari, 17 - 41100 Modena - ITALY
Tel +39 059 821332
Fax +39 059 821492
E-mail: gianpiero.porchia@atsweb.it
Web site: http://www.atsweb.it
------------------------------------
- Previous message: Kohlenberg, Toby: "RE: IPSec and IDS"
- In reply to: Gian Luca Valecchi: "Re: host-based ids evaluation"
- Next in thread: Andrew Plato: "Re: host-based ids evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
