Re: IPS comparison

• Previous message: Joseph Hamm: "NADS ( was RE: IPS comparison)"
• In reply to: Ron Gula: "Re: IPS comparison"
• Next in thread: Mike Poor: "Re: IPS comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 30 Aug 2005 18:02:01 -0400
To: Ron Gula <rgula@tenablesecurity.com>, Focus-Ids Mailing List <focus-ids@securityfocus.com>

> - I agree that "anomaly detection" != "zero day" detection. Just because
> my DNS server starts to connect to all the other hosts on my network,
> doesn't mean it has got a worm on it.

This is why most of today's *successful* anomaly detection technologies
incorporate a learning or "behavioral" component that overcomes this kind of
problem. Take StealthWatch for instance. When a new DNS server comes online,
StealthWatch looks at the flows being generated by the server, figures out
what the server is and how it's behaving, then applies the appropriate
algorithms given the contextual awareness of the server's learned behaviors.

In a nutshell:

1. New host detected.
2. Let's watch it for a bit and figure out what it's up to.
3. Now that we know what the machine is and does, apply the proper anomaly
detection techniques to the traffic generated by the host.

Let's study your DNS example...

From experience, I know that Windoze 2K domain controllers tend to drive
network-based detection systems crazy due to a race condition in the
implementation of the Windows 2000 resolver.

1. Workstation-A has 2 nameservers configured, DNS-A and DNS-B.
2. Workstation-A tries to resolve yahoo.com using DNS-A (the first
nameserver in the list).
3. For whatever reason (packet loss, busy server, etc) DNS-A never responds
to Workstation-A's query.
4. After 1 second, Workstation-A times out the request and transmits the
same query to DNS-A and DNS-B from the SAME SOURCE PORT (this is key).
5. DNS-B gets the request first and responds with yahoo.com's address.
6. Workstation-A receives DNS-B's answer and closes the UDP socket on which
it was listening for the answer.
7. DNS-A responds milliseconds after DNS-B but when the packet hits
Workstation-A, the socket is already closed and Workstation-A responds with
an ICMP PORT_UNREACHABLE.

For many systems, ICMP PORT_UNREACHABLEs are seen as the response to a UDP
scan (and indeed they often are). The trick is to be smart enough to know if
the PORT_UNREACHABLES are the result of a broken Windows client resolver or
that of an actual UDP scan. StealthWatch, knowing that the machine is a
Windows 2000 DNS Server, will allow for ICMP PORT_UNREACHABLES associated
with DNS queries without raising UDP Scan alarms and alerts. This kind of
logic is a requirement of any network-based anomaly detection system.
Without it, EVERYTHING is an anomaly and the system is rendered useless by
the shear number of events generated.

-AP

On 8/29/05 8:55 PM, "Ron Gula" <rgula@tenablesecurity.com> wrote:

> At 06:01 PM 8/29/2005, Stefano Zanero wrote:
>> Daniel Cid wrote:
>>> This "anomaly" detection will only detect 0-day
>>> exploits for known vulnerabilities.
>>
>> A zero-day exploit is a curious marketing thing. You suddenly redefine a
>> difficult problem (catching zero-days) as a rather simpler problem
>> (create signatures that actually describe the vulnerability, which is
>> what any signature worth your licensing cost should do).
>>
>> So, presto!, you can rush up and put out some rather nice marketing
>> material on it.
>>
>> Fact is, anomaly detection is so rare that it's almost unexistant in the
>> commercial products, except for limited forms of "protocol anomaly
>> detection" and for Arbor's peakflow technology.
>
> Two comments here.
>
> - lot's of NIDS that tend to code for a vulnerability, don't actually
> code for the vulnerability. They are still writing attack signatures.
> The attack signatures are smarter than what was standard about five
> years ago, but I've yet to really see a NIDS come out of the box
> with full vuln/IDS correlation.
>
> - I agree that "anomaly detection" != "zero day" detection. Just because
> my DNS server starts to connect to all the other hosts on my network,
> doesn't mean it has got a worm on it.
>
> Ron Gula, CTO
> Tenable Network Security
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Previous message: Joseph Hamm: "NADS ( was RE: IPS comparison)"
• In reply to: Ron Gula: "Re: IPS comparison"
• Next in thread: Mike Poor: "Re: IPS comparison"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]