Re: Intrushield vs. ISS once more...

From: Thomas Ptacek (tqbf_at_arbor.net)
Date: 01/05/05

  • Next message: Jeff McCarthy: "IPS with no IP address?"
    Date: Wed, 5 Jan 2005 10:24:19 -0500
    To: "Maynor, David (ISS Atlanta)" <dmaynor@iss.net>
    
    

    Regarding "psychic packet capture" (an aptly named feature):

    If it's such an interesting and useful feature, one wonders why Robert
    Graham hasn't simply built it yet. It's not particularly hard.

    Let me take a stab:

    On a medium-large network we expect to see in the neighborhood of
    10kfps. Assume a mean packet size of 300 bytes, and we're occupying 150
    megs of resident memory.

    This of course assumes no overlap; that connections terminate
    instantaneously. They don't. Assume that half the connections last a
    second, half those remaining live into the next second, and decay from
    there. Now we need 300 megs of resident memory to keep 50 bytes for
    every active connection.

    Double these numbers if you're tracking both sides of the connection.

    On a network running at 10kfps a loaded sensor probably does
    interesting memory management (or runs in the kernel) just to deal with
    the memory latency from maintaining connection state --- not packet
    contents, just connection stats --- for all those connections. Keeping
    contents incurs a memory copy. Does your existing system copy raw
    packets manually into DRAM after they've been DMA'd into a receive
    buffer?

    Can this be done? I'm sure it can (though not in those Miss Cleo Perl
    scripts you're referring to): you can buy systems that will promise to
    copy all packets onto DISK. Why haven't you seen it in your IDS
    already?

    Probably because it isn't very useful.

    For instance:

    A system like Lancope's (statistical anomalies) doesn't generate alerts
    based on individual packets or even individual connections. It's
    detecting rate shifts based on time. This is detection based on context
    (useful for some things, don't get me wrong). What's the likelihood
    that the forensic information you're actually looking for is contained
    in the 15kB of data associated with the connection that happened to
    trip a threshold?

    I'd probably have to concede that the feature is more useful in
    signature systems, where detection is atomic with respect to
    connections. But then I'd have to ask:

    How hard do you think a system like this would be to attack?

    I await my smackdown from Rob Graham or Mike Frantzen or Mike
    Stolarchuk or whoever...

    On Dec 31, 2004, at 4:16 AM, Maynor, David (ISS Atlanta) wrote:

    > Lancope product called Therminator. It incorporates a process they call
    > "psychic packet prediction." This attempts to maintain a certain buffer
    > of every connection. I can't remember the number; I think 50 packets or
    > so. When something in that buffer causes an alarm the entire buffer is
    > saved so not only do you get the packets that caused the alarm, you get
    > a certain amount ahead and behind it. This helps with forensics
    > greatly.
    >

    ---
    Thomas H. Ptacek // Product Manager, Arbor Networks
    (734) 327-0000
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Jeff McCarthy: "IPS with no IP address?"

    Relevant Pages

    • X & Gnome crashes the system with iptables
      ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
      (comp.os.linux.setup)
    • X & Gnome crashes the system with iptables
      ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
      (alt.linux)
    • X & Gnome crashes the system with iptables
      ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
      (comp.os.linux.security)
    • X & Gnome crashes the system with iptables
      ... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
      (comp.os.linux.x)
    • Re: How to establish connections to the servers inside a DMZ?
      ... Each server is assigned one of those IPs. ... >> (inside the DMZ) is accessed. ... >Directing packets to the dmz is accomplished with route table entries. ... >packets) and use connection tracking and ESTABLIHED, ...
      (comp.os.linux.networking)