Re: FW: IDS Signature Confidence

From: Vipul Kumra (secureskillz_at_yahoo.com)
Date: 06/21/05

Next message: David W. Goodrum: "Re: IDS Signature Confidence"

Previous message: Raffael Marty: "RE: generating a network map"
Maybe in reply to: Raffael Marty: "IDS Signature Confidence"
Next in thread: bbhikkaji_at_yahoo.co.in: "Re: Re: FW: IDS Signature Confidence"
Maybe reply: bbhikkaji_at_yahoo.co.in: "Re: Re: FW: IDS Signature Confidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 21 Jun 2005 01:57:15 -0700 (PDT)
To: focus-ids@lists.securityfocus.com

There can be different approaches to detect a DOS
attack when using IDS.

It depends upon what type of DOS attack you are trying
to prevent e.g. a DOS attack can be accomplished by
sending a large number of packets so as to overwhelm
the system, thus causing it to stop servicing
legitimate request. The other way could be to just
sending a single packet that causes a buffer overflow
in some application so that it hangs or terminates
(which will again lead to a DOS situation).

Now to tackle the second case where a single packet
can do enough harm, we can write a signature to drop
that packet by just looking at its contents.

For detecting the first case there can be counter
based signatures. The counter based category of IDS
attacks are the ones that are detected if packets
containing certain characteristics are seen repeatedly
in the network. The attack is confirmed if “n” numbers
of packets containing a specified characteristic are
seen in the network within “t” time. The counter based
attacks typically cause a denial of service to other
genuine packets in the system, by flooding the
resource that other genuine packets in the system are
also attempting to use. For this reason, the counter
based attacks are also called “Denial of Service
Attacks”.

Proper testing of the signature should be done to find
out a near accurate false positive and false negative
ratio.

Vipul

> -----Original Message-----
> From: Raffael Marty [mailto:raffy@raffy.ch]
> Sent: Tuesday, June 21, 2005 4:30 AM
> To: focus-ids@lists.securityfocus.com
> Subject: IDS Signature Confidence
>
>
> I was thinking about this following problem: Assume
> you have an NIDS
> signature looking for DoS attacks. In most of the
> cases I don't trust the
> NIDS reporting on a DoS attack. A lot of the DoS
> sigs just look at
> some bytes on the wire and tell me that there is a
> DoS attack going
> on. However, I need some more evidence that my
> services are indeed not
> accessible anymore. Some signatures on the other
> hand are very specific
> and you can trust them with whatever they report.
> Now this brings me to my question: How do you guys
> decide how much
> confidence you put in a certain IDS signature? And I
> am not talking
> about prioritizing the event. I am talking about
> assigning a "success"
> or "possible success" to signatures.
>
> -raffy
>
>
> --
> Raffael Marty, GCIA, CISSP
> raffael.marty@arcsight.com
> Senior Security Engineer
> Content Team @ ArcSight Inc.
> 5 Results Way Cupertino, CA 95014
> (408) 864-2662
>
>
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with
> real-world attacks from
> CORE IMPACT.
> Go to
>
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
>
--------------------------------------------------------------------------
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

Next message: David W. Goodrum: "Re: IDS Signature Confidence"

Previous message: Raffael Marty: "RE: generating a network map"
Maybe in reply to: Raffael Marty: "IDS Signature Confidence"
Next in thread: bbhikkaji_at_yahoo.co.in: "Re: Re: FW: IDS Signature Confidence"
Maybe reply: bbhikkaji_at_yahoo.co.in: "Re: Re: FW: IDS Signature Confidence"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Ping of Death from a friend?
... packet,knowing the context of the session, and whether the IDS ... It's just the name given to the attack because it ... >>was mostly used in attacks involving simple icmp ping packets because it ...
(comp.security.firewalls)
Re: FW: Small TCP packets == very large overhead == DoS?
... it is a symetrical DoS attack. ... number of packets and the amplifier network does the real work. ... It's not really a network MTU, ...
(FreeBSD-Security)
Re: FW: Small TCP packets == very large overhead == DoS?
... it is a symetrical DoS attack. ... It may take more packets to move 2kB, ... PC's can only handle a set number of interrupts per second. ...
(FreeBSD-Security)
Re: Too many connections
... If it is some type of DoS attack attempt, a good IDS should be able to ... detect either the attack or the connection pattern. ...
(microsoft.public.inetserver.iis.security)
IDS Assessment (was: Intrusion Prevention... probably something else at one point)
... scrutiny of all IDS features/technologies. ... Anomaly-type detection engines can ... weaknesses of each detection methodology (which is described in much ... attack d'jour with a cool sounding name and/or press ...
(Focus-IDS)