Re: Current IDS problems

From: Dhruv Soi (dhruv_ymca_at_yahoo.com)
Date: 10/22/05

  • Next message: Terry Vernon: "Re: Current IDS problems"
    Date: Sat, 22 Oct 2005 11:25:03 -0700 (PDT)
    To: crazy frog crazy frog <i.m.crazy.frog@gmail.com>, zero <zeroboy@arrakis.es>
    
    

    But false positives are induced in by the researchers
    those have created low quality signatures to bring
    false positives.

    The problem I see incase of false positives is
    limitations in Language Constructs of IDS and Engine
    support, to digest those signatures. Even if a
    Vulnerability researcher is able to discover what
    should be ideal signature to stop blah blah attack, he
    requires language constructs in engine to provide him
    the ability to write such signatures. But due to
    severity of attack he/she really wants to get away by
    writing the signature in any case. So this ends up in
    low quality signature at times and hence promoting
    false positives. I am not saying this happens most of
    the tims, but sometimes researchers complain for this
    thing. And providing such facilities for researchers
    may be sometime require lot of changes in engine which
    company can't afford to do or sometimes the
    requirement is not even feasible.

    So I should say that this problem is in architecture
    implementation or researchers and not actually in IDS
    technology as such. Which simply no company can avoid
    as there is always a human working on that part.

    But to overcome the problem of false positives. IDS
    companies are providing Vulnerability Corelation
    mechanism/Data-Mining Techniques in their products.

    But this was all about insights and 0boy might be
    concerned about the IDS implementation. So I would
    like to list down few of those points out here...

    1. Ofcourse False positives, if the IDS is not
    supporting the things I talked above.
    2. log analysis of IDS to see the attack happening on
    your network.
    3. Handling of zero day attack for high severity
    vulnerabilities.
    4. Frequency of signature updates to clients. It
    should be like product companies are providing
    signatures to clients, where attack came into picture
    one month back.
    5. Many of the IDS companies are still not much sure
    that their product is 100% protecting against IDS
    evasion technique, wherein an attack can be bypassed.
    But don't worry every company will claim that "They
    Do".
    6. GUI of few products is not that user friendly.
    7. Redundancy of Hardware components of IDS, incase
    its hardware product. Sometime back, I have evaluated
    few IDS/IPS products to carry out some recomendation
    project for some company. But I have not seen any
    product that doesn't provide this capability. You may
    see some product, coz there are lot of in market.
    8. I even found good Support Service from all the
    companies. When ever I required any help to understand
    any of the feature from inside they always responded
    quickly. And the guys giving the support were actually
    smart enough to understand my words and giving me
    satisfactory answers, so never had an experience of
    hiting my head on wall ;-). But Service support is one
    of the biggest parameter which can take you into big
    time frustration.

    To end-up the mail I feel the problems can be
    categorized into Signatures(Both accuracy and response
    time), Implementation(Both software and hardware) and
    Service Support(both in terms of Response time and the
    smartness of ppl).

    I hope, I am able to explain the things and you are
    not hiting your head on wall ;-)

    -Dhruv

    --- crazy frog crazy frog <i.m.crazy.frog@gmail.com>
    wrote:

    > false positives.allthough we need to fine tune it to
    > reduce this stuff.
    >
    > On 10/19/05, zero <zeroboy@arrakis.es> wrote:
    > > Hi all,
    > > I would like to know what are the problems
    > people working with IDS sees in
    > > them. I mean, what are the things you hate
    > about IDS, think simply you feel
    > > are plain wrong or that they should be another
    > way to it.
    > >
    > > Al comments are greatly appreciated :)
    > >
    > > Thxs in advance.
    > >
    > >
    > >
    > >
    > >
    >
    ------------------------------------------------------------------------
    > > Test Your IDS
    > >
    > > Is your IDS deployed correctly?
    > > Find out quickly and easily by testing it
    > > with real-world attacks from CORE IMPACT.
    > > Go to
    >
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > > to learn more.
    > >
    >
    ------------------------------------------------------------------------
    > >
    > >
    >
    >
    > --
    > ting ding ting ding ting ding
    > ting ding ting ding ding
    > i m crazy frog :)
    >
    >
    ------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it
    > with real-world attacks from CORE IMPACT.
    > Go to
    >
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    ------------------------------------------------------------------------
    >
    >

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: Terry Vernon: "Re: Current IDS problems"