Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS event filtering

from [Evans, Arian] Network Security [Permanent Link]
Subject: RE: IDS event filtering
Date: Fri, 31 Dec 2004 19:03:22 -0600 
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Billy,

Patrick is right; filtering can be good...and bad. What
I have seen happen too many times is that someone turns
off their alerts for say slammer, and add 10 new developers
who install MSDN and you have 10 unpatched new MSDE instances
clogging your pipes. Or the fully-patched IIS web server
gets reloaded in the middle of the night as part of
trouble-shooting a corrupt metabase; within 15 minutes
you now have a new remotely managed system on your network.

I think there are a few ways to filter; the effectiveness
and scalability of each depend on the size of your enterprise
and the time you have on your hands:

1. Correlation of security event with vuln scanner data. ISS's
Fusion does this. Several SEM vendors (e.g.-Arcsight) claim
to do this.

2. Tuning of ruleset known vs. unknown. The beauty of snort
are her variables flexibility; you can create known-patched-sql
vs. rest-of-network vars and ignore or alert priority accordingly.

This is risky to me b/c you never know that was is patched
stays patched (unless you're small and doing it yourself).

3. Correlation of known-platforms vs. signature variables.
Sourcefire does this in a backend database now. RNA can let
you know that the server being attacked by Code Red is Apache
so you can filter out that noise. RNA is fairly accurate in
detection. Nevo does something like this but I haven't looked
at in over a year so not sure if any backend IDS correlation.

4. Holy grail of NIDS: auto-tune your sensors based upon either
scanner data or passive fingerprinting. Sourcefire is going this
way with RNA on the passive fingerprinting front. I don't know
anyone auto-tuning off of scan data yet.

Scanners get more accurate and detailed data than passive finger-
printing in most ways, and usually require less $ investment
and less change to infrastructure to use than passive finger-
printing. Downside to scanning is that it's non-real-time,
usually much slower data collecton process, and can be invasive.

5. Spreadsheet: Operationalize prioritization with a list of
what "should be patched" vs. unknown. Deprioritize alerts on
systems that should be patched (as above) and have someone
kick off a patch auditor to verify, perhaps next am, etc.

Unknown systems showing attack/response should get immediate
response and investigation.

I can't believe I'm reading this list for the first time in
weeks, and on NYE. Bad bad bad. Good luck, Happy New Year all,

Arian 


-----Original Message-----
From: Harper, Patrick [mailto:Patrick.Harper@phns.com] 
Sent: Friday, December 31, 2004 3:32 PM
To: CraftedPacket@securitynerds.org; focus-ids@lists.securityfocus.com
Subject: RE: IDS event filtering

 
*** PGP SIGNATURE VERIFICATION ***
*** Status:   Unknown Signature
*** Signer:   Unknown Key (0xDBEFE07F)
*** Signed:   12/31/2004 3:31:26 PM
*** Verified: 12/31/2004 6:46:06 PM
*** BEGIN PGP VERIFIED MESSAGE ***

Thresholding is a wonderful thing.  And no, I personally do not want
to see alerts on tings I do not have.  If I am an all apache shop
then I do not turn on any IIS rules.  I also make sure, via scanning
and vulnerability analysis, that I do not in fact have any IIS (or
whatever) installed.  You first need to have a good inventory of what
you have.  And you need to keep that up to date so you always know
what you have.  Then you trim all rules to that.  Weather it be
ingress - egress firewall rules, IDS configs, or whatever.  Figure
out what you have, learn how it flows (and make it work/flow the
secure way) then monitor it. 

 
-----Original Message-----
From: Billy Dodson [mailto:CraftedPacket@securitynerds.org] 
Sent: Friday, December 31, 2004 9:37 AM
To: focus-ids@lists.securityfocus.com
Subject: IDS event filtering

I am wanting to get an idea of what you guys out there filter from
your
IDS sensors.  Some of the sensors I monitor get TONS of events for
MSSQL
control overflows.  If the customer is patched for slammer and does
not
have any SQL services on the internet, is it safe to filter out those
events?  Do you still want to see that traffic even though you know
your
are not vulnerable?  Thanks!

----------------------------------------------------------------------
----
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from 
CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
----------------------------------------------------------------------
----





*** END PGP VERIFIED MESSAGE ***




Disclaimer:
This electronic message, including any attachments, is 
confidential and intended solely for use of the intended 
recipient(s). This message may contain information that is 
privileged or otherwise protected from disclosure by 
applicable law. Any unauthorized disclosure, dissemination, 
use or reproduction is strictly prohibited. If you have 
received this message in error, please delete it and notify 
the sender immediately. 




--------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world 
attacks from 
CORE IMPACT.
Go to 
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------
------------




-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQdX22jw+XG8chAQiEQLxdwCg4YiSXOANOTBvv1M8nuk9n67aPpAAoLqP
56vHzMxa3lrK+QCc/GQirgFs
=zW8L
-----END PGP SIGNATURE-----



The information transmitted in this e-mail is intended only for the addressee 
and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or 
taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to 
criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the 
communication from any computer or network system.



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Specification-based Anomaly Detection, Roberto Perdisci
Next by Date:  RE: IDS event filtering, Phil Hollows
Previous by Thread:  Re: IDS event filtering, Reto Baumann
Next by Thread:  RE: IDS event filtering (NeVO comments), Ron Gula
Indexes:  [Date] [Thread] [Top] [All Lists]