Re: How to choose an IDS/FW MSS provider

• Previous message: Mark Teicher: "Re: How to choose an IDS/FW MSS provider"
• In reply to: Andre Ludwig: "Re: How to choose an IDS/FW MSS provider"
• Next in thread: Adam Powers: "Re: How to choose an IDS/FW MSS provider"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 21 Mar 2005 12:35:30 +0530
To: focus-ids@securityfocus.com

See Comments inline

-Prashant

On Thu, 17 Mar 2005 10:03:00 -0500, Andre Ludwig <andre.ludwig@gmail.com> wrote:
<Snip>
> I would also like to add this simple question (and answer) to the mix.
>
> What is the best way to evade an IDS?
>
> Knowing what it looks for...
>
> Open sigs for an IDS/IPS does more harm then good (for the majority) IMO.
</Snip>
 
I totally agree up on that .. But another problem of having closed
signature is that it cannot be customized for reducing false positives
which was the other part of this debate!! the solution for the
problem woulb be some thing intermediate as you suggested ..

<Snip>
> IE a SKILLED attacker wants to attack my network, and i use an ids
> that has an open sig set. Via posts on various mailing lists the
> attacker has worked up a probability matrix of what products are being
> used for IDS/IPS. So happens that those products have an open
> signature set. Now all the attacker has to do is look at what those
> systems deficiencies are (be it from a technical stand point, be it
> from a sig stand point) and modify his attack to circumvent the
> product that is put in place.
>
> Those opens sigs sure did help in evading the protection put in place.
>
> The best option IMO is having a skilled R&D team who is on the edge of
> what is out there, a closed signature set, and the ABILITY to add your
> own SIGNATURES from other sources (be it snort based rules only or
> snort based rules + vendor based rule framework). All of a sudden
> you then have the best of both worlds.
</Snip>

Thats a good idea indeed but it might not turn to be cost and time
effective as this requires lot of expertise and efforts . In a
longer run this may be painful IMHO.

 The usual practice for implemeting the IPS , and one of the good
intermediate way which perhaps everybody follows to over come close
sigs/false +ves problem is to implement the IPS in sniffer mode(to
act as IDS) initially in your environment and study the flase
positives and then report it to the respective Vendor . That would be
a test agains the vendors support also :-).Once you feel every this is
fine the same can be put in to the inline mode (thats what most
vendors too recommend) but at the same time if your vendor support
aint good you are left clueless !! . . With some vendors having there
framework already laid for writing custom signatues .. the IDS/IPS can
be tuned perfectly for your envirnment :-)

<Snip>
> Oh and simple pattern matching is crap, there needs to be an
> abstraction layer above the pattern matching that says "apply this
> pattern if the following criteria have been meet {syn syn ack syn ack
> *pattern* rst}" or something along those lines that are exploit
> specific, be it flow information or protocol level flags or features.
</Snip>

Very True.. ahh but thats why ppl like to have Open sigs perhaps !!
at the same time if you are security conscious then you gotta be
paranoid / you will prefer closed sigs .
I know i have written self contradicting statements but this is what i think.

-Prashant

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Mark Teicher: "Re: How to choose an IDS/FW MSS provider"
• In reply to: Andre Ludwig: "Re: How to choose an IDS/FW MSS provider"
• Next in thread: Adam Powers: "Re: How to choose an IDS/FW MSS provider"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]