See Comments inline
-Prashant
On Thu, 17 Mar 2005 10:03:00 -0500, Andre Ludwig <andre.ludwig@gmail.com> wrote:
<Snip>
I would also like to add this simple question (and answer) to the mix.
What is the best way to evade an IDS?
Knowing what it looks for...
Open sigs for an IDS/IPS does more harm then good (for the majority) IMO.
</Snip>
I totally agree up on that .. But another problem of having closed
signature is that it cannot be customized for reducing false positives
which was the other part of this debate!! the solution for the
problem woulb be some thing intermediate as you suggested ..
<Snip>
IE a SKILLED attacker wants to attack my network, and i use an ids
that has an open sig set. Via posts on various mailing lists the
attacker has worked up a probability matrix of what products are being
used for IDS/IPS. So happens that those products have an open
signature set. Now all the attacker has to do is look at what those
systems deficiencies are (be it from a technical stand point, be it
from a sig stand point) and modify his attack to circumvent the
product that is put in place.
Those opens sigs sure did help in evading the protection put in place.
The best option IMO is having a skilled R&D team who is on the edge of
what is out there, a closed signature set, and the ABILITY to add your
own SIGNATURES from other sources (be it snort based rules only or
snort based rules + vendor based rule framework). All of a sudden
you then have the best of both worlds.
</Snip>
Thats a good idea indeed but it might not turn to be cost and time
effective as this requires lot of expertise and efforts . In a
longer run this may be painful IMHO.
The usual practice for implemeting the IPS , and one of the good
intermediate way which perhaps everybody follows to over come close
sigs/false +ves problem is to implement the IPS in sniffer mode(to
act as IDS) initially in your environment and study the flase
positives and then report it to the respective Vendor . That would be
a test agains the vendors support also :-).Once you feel every this is
fine the same can be put in to the inline mode (thats what most
vendors too recommend) but at the same time if your vendor support
aint good you are left clueless !! . . With some vendors having there
framework already laid for writing custom signatues .. the IDS/IPS can
be tuned perfectly for your envirnment :-)
<Snip>
Oh and simple pattern matching is crap, there needs to be an
abstraction layer above the pattern matching that says "apply this
pattern if the following criteria have been meet {syn syn ack syn ack
*pattern* rst}" or something along those lines that are exploit
specific, be it flow information or protocol level flags or features.
</Snip>
Very True.. ahh but thats why ppl like to have Open sigs perhaps !!
at the same time if you are security conscious then you gotta be
paranoid / you will prefer closed sigs .
I know i have written self contradicting statements but this is what i think.
-Prashant
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
