Re: IDS is dead, etc

From: Bennett Todd (bet_at_rahul.net)
Date: 08/06/03

  • Next message: maz: "Re: IDS is dead, etc" 
    Date: Wed, 6 Aug 2003 14:57:53 -0400
To: Paul Schmehl <pauls@utdallas.edu>

    2003-08-06T07:39:28 Paul Schmehl:
    > Why would you want to know about Nimda attacks against your
    > servers?

    (or more generally, attacks that won't succeed)

    Some people _don't_ care. They need to disable the sigs they don't
    care about, or configure their IDS to only match those sigs against
    servers for which they're relevent.

    The limiting case of this argument says that given a really
    perfectly implemented firewall, you don't need an IDS at all. Some
    folks don't.

    I can easily suggest three scenarios where someone might want such
    alerts.

    (1) Suppose you've deployed your IDS on the inside edge of your
        firewall plant, rather than the outside. Aside from false alerts
        where the sig matches truly legit traffic, every alert reflects
        an incident. Someone set up a rogue server inside, and the
        malware got at it through some vector you can't protect against,
        e.g. a laptop that someone got infected when they hooked it up
        at home, then brought it in and hooked it up at their desk.

        This deployment scenario is also great for catching firewall
        config errors that inadvertently permit traffic you didn't
        intend.

    (2) Suppose you're catching this info, and analyzing it in multiple
        dimensions. Even if all the attacks fail, you might be able to
        pick up on a sudden change in the attack profiles, alerting you
        to someone targetting your plant in a focused attack.

    (3) The collected info can be helpful for building knowlege of the
        state of the internet. Groups like the ISACs share trending
        info, as well as details for analyzing new attacks. If your IDS
        is capturing with signatures that focus on vulnerabilities
        rather than on specific exploits, you can gather knowlege of new
        exploits as they are developed. This was a critical resource in
        the early analysis of Nimda, for instance.

    Combine (3) with a honeypot and you're getting into really juicy
    intelligence collection.

    -Bennett

  • Next message: maz: "Re: IDS is dead, etc"

    Relevant Pages

    • RE: Changes in IDS Companies?
      ... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ...
      (Focus-IDS)
    • RE: Best Method(s) for signature verification.
      ... on this list - and other IDS lists - for the means to test their IDS ... When I say we use IDS Informer for our signature recognition testing, ... should point out that we do NOT use all the default attacks! ... (IIS attacks run against Apache web servers on Unix - "real ...
      (Focus-IDS)
    • Re: Changes in IDS Companies?
      ... Things like port scans and DoS attacks very often ... >> If people are running insecure web servers, ... when people don't update their patches at ... > downplay the vulnerability to save face, so admins even if they are trying ...
      (Focus-IDS)
    • RE: Hacking to Xp box
      ... If the firewall doesn't block ICMP, ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > login pages, dynamic content etc. Firewalls, SSL and locked-down servers ...
      (Pen-Test)
    • Re: Blocking attacks from spoofed IP addresses
      ... cause a _Self_ Denial Of Service attack. ... Defeating Denial of Service Attacks ... of our DMZ servers, and had source IPs from our public DNS servers. ... Web services are on your port 80 and/or 443, ...
      (comp.os.linux.networking)