Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS detection approaches

from [Liran Cohen] Network Security [Permanent Link]
Subject: Re: IDS detection approaches
Date: Sun, 14 Oct 2007 17:30:31 +0200
I think blocking packets based on scoring of the source is a very bad way to go, just like spam it will result in a lot of false positives, and actually lead to a "selective" internet which I am sure many dont want the thing is by scoring you cannot just decide a subnet is likely to have attacks originating from it thus block that subnet (like people do with e-mails) I happened to see a lot of e-mails servers which were blocked due to CBLs and such and were in fact clean servers but removing such an entry from the CBLs is a very long tiring process resulting in servers such as hotmail which many dont use because it blocks many subnets. I would hate to see the same happen with IDS i.e. trying to surf the internet and getting a "your page has been blocked due to IP black listing from your subnet" because someone decided to perform an attack from my subnet.

My 2 cents.... ;)

'Merigoth' wrote: 
FF, I believe IDS placement should depend upon it's purpose. The
purpose of the IDS should determine where the IDS is placed. For
example, an IDS whose purpose is to identify all possible inbound
threats for firewall tweaking (or returning traffic back to the
community ;]) should be placed outside the firewall. A production
protection IDS would probably be better placed inside the firewall.
Defense-in-depth and architecture design are two key points to
remember.

As far as answering the initial question, one new trend is
"vector-based" modeling. Take a look at http://www.trustedsource.org/,
and the trustedsource query. Plug in a few IP addresses and see.
(NOTE: I do not work for secure computing.) The simplistic idea is a
network space, 192.168.1.x (for example), is given a "credit card"
score (or trust-worthiness score). This "trust-worthiness" score is a
determination of the network space to be secure and remain secure at a
given point in time. If the IP address or network space is flagged as
malicious, a firewall admin may wish to block all traffic to/from that
IP space. Remember that saying about blocking email based upon country
codes/location/email language due to the likelihood of spam. This
takes that idea and makes it a little more useful, in my opinion. This
is possible because it is an aggregation of flow data, signature based
and heuristic/anomaly detection IDS capabilities. 

Partially referring back to the initial paragraph and what others have
mentioned, a company needs a blended IDS system. Signature-based
systems require dedicated analysts to maintain, and can quickly absorb
storage space on large links. Flow data, usually coming from routers,
can provide important information. However, it usually requires an
outside trigger (like a trustworthiness score or an IDS event) to
research. One of the key benefits of flow data is the amount of
traffic passed for an event. An IDS system may not capture the full
stream or storage may be an issue. Flow data can record the totally
bytes passed, which can be in the 10s of megs of data, in the space of
a few hundred bytes. So the conversation turns back into
defense-in-depth and architecture design.

I think application layer / "deep packet analysis" is also starting to
take off, as well.

Hopefully, this helps snort user.


-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of
frankfrydrych@gmail.com
Sent: Thursday, October 04, 2007 4:30 PM
To: focus-ids@securityfocus.com
Subject: Re: IDS detection approaches

Hola,


I would completely go with a signature based IDS. Anomaly based IDS
will not give you the greatest results. 


For signature base I highly recommend SNORT. It is probably one of the
best IDS out there. Now I'm not just saying this as a "ooh open source
is the best".  I truely believe this. I actually use to be a huge
Cisco buff and just dealt with Cisco IDS. However, at my current job I
am a security analyst and have to analyze events from Cisco, IIS,
Juniper, etc, and SNORT beats them all. Mainly for the fact that you
are able to see the packet payload and are able to make the decision
if something is malicious based on the actual payload and not just the
signature that is triggered (like some IDS). Also, when a new threat
emerges usually SNORT users will create a signature to combat the
threat. The other vendors create the signatures for you and it usually
ends up to be like 3 months after the threat was actually a realistic
threat. And on top of it the vendor signatures usually give out huge
amount of false positves. Then again, an IDS is only as good as who
tunes it. If you take A
 NY IDS and turn it on in a production network you will have so many
false positives I garuntee you will miss actual threats. Every IDS
(including SNORT) has to be tuned for the production network it is on.


Finally, make sure to place the IDS behind the firewall. If you place
it in front of the firewall you will receive so much traffic that it
is just not valuable data. You have a firewall, so let the firewall do
its job and block the already known bad activity, and catch what gets
through the firewall with a IDS.


-FF

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campa
ign=intro_sfw to learn more.
----------------------------------------------------------------------
--


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------



--
Liran Cohen
http://www.rct.co.il
http://www.dir.rct.co.il


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS detection approaches, Jason
Next by Date:  Re: Sessions Resource Exhaustion, Roland Dobbins
Previous by Thread:  RE: IDS detection approaches, 'Merigoth'
Next by Thread:  Oracle XDB FTP, Kanagasingham, Prathaben
Indexes:  [Date] [Thread] [Top] [All Lists]