Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: on TASL correlation rules

from [Augusto Paes de Barros] Network Security [Permanent Link]
Subject: Re: on TASL correlation rules
Date: Wed, 28 Dec 2005 08:46:30 -0300 
"I think its a dirty little secret that much fewer customers customize
NIDS rules than the NIDS vendors think..."

Totally true.

I believe that's because they sell their products as something that
doesn't need to be customized. I like to say that IDSes are more like
ERP systems than Antivirus. A lot of customization is required to make
it work.

Regards,

Augusto.


On 12/23/05, Anton Chuvakin <anton@chuvakin.org> wrote:

Ron and all,


In general though, the issue we've found while writing these types of rules
is that whatever the algorithm, there is always a trade off between being
exact and being general.

That is *exactly* the discussion I wanted to start! Thanks for picking
it up. When one provides canned correlation rules (such as your TASL
scripts), this question comes up in full force. And, unlike NIDS
rules, where people expect them to work pretty much out of the box (I
think its a dirty little secret that much fewer customers customize
NIDS rules than the NIDS vendors think...), this one gets real
subjective real quick.  And this is where the site-specific rules or
scripts come in.


Site-specific rules can get much more interesting. For example, writing
a rule that can alert on any "SSH login failure" not coming from the
SOC is very simple, but you have to know about the DNS server, the SOC
and the trust relationship between them before hand.

This is one of my favorite examples: its an extremely simple and just
as useful custom rule ("if SSH not from SOC, alert") but an impossible
default vendor -provided rule.  The main question is: how many people
will go and create it? Will the "NIDS disease" (mentioned above) hit
it as well and thus devalue the correlation software?

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.chuvakin.org
 http://www.securitywarrior.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------





--
Augusto Paes de Barros, CISSP-ISSAP(r)
http://www.paesdebarros.com.br/indexpb.html

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fortinet's fortigate 100 devices, Jimmy Stewpot
Next by Date:  Re: challenges in capturing Gigabit ethernet, Mike
Previous by Thread:  Re: on TASL correlation rules, Anton Chuvakin
Next by Thread:  Re: on TASL correlation rules, rgula@tenablesecurity.com
Indexes:  [Date] [Thread] [Top] [All Lists]