Re: ssh and ids

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 06/22/04

  • Next message: Wozny, Scott (US - New York): "RE: Anomaly Based Network IDS" 
    Date: Tue, 22 Jun 2004 17:11:16 -0400
To: Adam Powers <apowers@lancope.com>

    On Jun 22, 2004, at 9:56 AM, Adam Powers wrote:

    > Regarding: "Hacker busts into your network and sets
    > up an SSH server, RNA picks it up and can let you know that it detected
    > a new service and logs the flow data, etc."
    >
    > But you can't stop with simple "port profiling". StealthWatch has had
    > this
    > technology for years and we've found that the same problems you run
    > into
    > with IDS alerting is seen when attempting to truly profile and react
    > to each
    > new service entering the network. StealthWatch even takes it a step
    > further
    > and allows you profile outbound "client" traffic if you wish (in
    > addition to
    > server ports). Still, this is a classic "needle in a haystack" problem.
    > Sure, the data that identifies the attack is there, but it's useless
    > because
    > you can't find it.

    We're not seeking to detect the attack with RNA, that's what our IDS
    product is for, we're looking for the configuration management/security
    policy violation that's indicated by the observed activity, not looking
    for statistical anomalies or even protocol anomalies from within RNA.

    > Port profiling has to be augmented with other more intelligent
    > techniques to
    > expose the important data.

    RNA doesn't just do "port profiling". The detection of a new active
    port/service/protocol/server/etc may indicate activity that should be
    analyzed by our policy compliance analysis stage on our management
    console (now called the Sourcefire Defense Center). The result of this
    analysis can then be leveraged to provide whatever kind of response the
    user in interested in.

    > Sure, StealthWatch can be configured to alarm when a new port shows
    > up, but
    > the real power of the port profiling is seen during the flow analysis
    > process. StealthWatch uses the port profile data to determine how
    > network
    > traffic should be analyzed. An example includes a DNS related ICMP Port
    > Unreachables. When StealthWatch recognizes a host as being a DNS
    > server, it
    > immediately begins applying flow analysis algorithms that are suitable
    > for
    > analysis of DNS traffic.

    We also have flow analysis capability in addition to the capabilities
    we're developing for our IDS technology to bring forth a true
    target-based detection mechanism that can be leveraged on both the
    deterministic (IDS) proactive detection side and the nondeterministic
    (RNA) policy compliance side of the coin.

    I believe that the original poster wanted to know if there was a system
    out there capable of isolating this kind of activity on the network for
    backdoor detection, sounds like both of our products can perform that
    function to some degree.

          -Marty 

    -- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Wozny, Scott (US - New York): "RE: Anomaly Based Network IDS"