Hi list!
I'd like to share my correspondence about how RealSecure Network sensor, an
IDS from ISS, (RNE in further discussion) triggers events if more then one
signature were found in packet or session. I've got to know that "the most
important" event will be seen in console and I think that in general it
isn't correct for IDS, because knowledge about priority in which events are
triggered can give an attacker the opportunity to evade IDS and hide the
real invasion. May be I don't understand something, please, correct me if
I'm wrong.
May be it's not so in RNE, and all signatures a checked...
ANY feedback will be appreciated. Also it's interesting how signature
processing is organized in other IDSs/IPSs. Do all signatures have to be
checked or it's possible to check them is special priority??
Thanks.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
----- Forwarded by Sergey V Soldatov/DKB/HQ-MSK/TNK on 20.12.2004 09:39
-----
Sergey V Soldatov
08.12.2004 10:53
To: "Ballerini, Jean Paul (ISS EMEA)"
<JPBallerini@iss.net>@TNK
cc:
Subject: RE: Adv RSSP students guide
Hope, that I still have not bothered you enough, but it's very serious, I
think. As I've understood you if some packet or number of packets in
analysed session match a lot of signatures I'll get "the most important" in
console, but the only one ?!
It isn't right for sensor, _all_ matched signatures MUST be shown in
console or analysed by correlation engine (if it is). If RNE really shows
only one event - it's bug that has to be fixed.
In this case I have another question, - where can I get a list with
signatures priorities to get to know which signature will be displayed in
case when a number "high" events were found?
You can post answers on ISSForum, I think, this topic may be interesting
for all.
Good luck.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
"Ballerini, Jean Paul (ISS EMEA)" <JPBallerini@iss.net>
07.12.2004 19:10
To: "Sergey V Soldatov" <SVSoldatov@tnk.ru>
cc:
Subject: RE: Adv RSSP students guide
Sergey,
We detect the all events but generate only one, the one with highest
risk because it is the most important for blocking.
Jean Paul
-----Original Message-----
From: Sergey V Soldatov [mailto:SVSoldatov@tnk.ru]
Sent: Monday, December 06, 2004 3:19 PM
To: Ballerini, Jean Paul (ISS EMEA)
Subject: Adv RSSP students guide
Reading Adv RealSecure Site Protector students guide (05/23/03) on p. 79
within server sensor
data path explanation I've found interesting phrase:
'Unlike Network Sensor, Server sensor allows events to match more than
one
signature at a time.' Does it mean that in case of RNE one packet can
trigger only one signature if matches? As I can see in SiteProtector
Console it
isn't
so, and it's QUITE RIGHT. But if it's so and I've understood this
correctly
it is awfully, because it presumes to intruder to hide really important
events among informationl ones and so pass over IDS. Early versions of
Snort had such vulnerability, but it was corrected a long time ago. Is
it
so? Please, let me know.
Good luck!
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
