Hi, Chris.
Recently I asked similar question on this forum but it was left without
discussion, it's a pity. I'm sure that it's very serious and I suppose that
IDS/IPS MUST (please, correct me if I'm wrong!) report all events it's
found without exception because any "prioritization" of signatures can be
the subject for its mitigation... but it seems that ISS thinks in diffenent
way.
If all signatures are really have special "priority" it's desirable for ISS
to share these rules to predict RNEs behaviour.
Here is my correspondence, I think it will be interesting for you. List
members, please, excuse me, that you again see the same letters...
---------------------------------------------------------------
Hi list!
I'd like to share my correspondence about how RNE triggers events if more
then one signature were found in packet or session. I've got to know that
"the most important" event will be seen in console and I think that it
isn't correct for IDS, because knowledge about priority in which events are
triggered can give an attacker the opportunity to evade IDS and hide the
real invasion. May be I don't understand something, please, correct me if
I'm wrong.
ANY feedback will be appreciated.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
----- Forwarded by Sergey V Soldatov/DKB/HQ-MSK/TNK on 20.12.2004 09:39
-----
Sergey V Soldatov
08.12.2004 10:53
To: "Ballerini, Jean Paul (ISS EMEA)"
<JPBallerini@iss.net>@TNK
cc:
Subject: RE: Adv RSSP students guide
Hope, that I still have not bothered you enough, but it's very serious, I
think. As I've understood you if some packet or number of packets in
analysed session match a lot of signatures I'll get "the most important" in
console, but the only one ?!
It isn't right for sensor, _all_ matched signatures must be shown in
console or analysed by correlation engine (if it is). If RNE really shows
only one event - it's bug that has to be fixed.
In this case I have another question, - where can I get a list with
signatures priorities to get to know which signature will be displayed in
case when a number "high" events were found?
You can post answers on ISSForum, I think, this topic may be interesting
for all.
Good luck.
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
"Ballerini, Jean Paul (ISS EMEA)" <JPBallerini@iss.net>
07.12.2004 19:10
To: "Sergey V Soldatov" <SVSoldatov@tnk.ru>
cc:
Subject: RE: Adv RSSP students guide
Sergey,
We detect the all events but generate only one, the one with highest
risk because it is the most important for blocking.
Jean Paul
-----Original Message-----
From: Sergey V Soldatov [mailto:SVSoldatov@tnk.ru]
Sent: Monday, December 06, 2004 3:19 PM
To: Ballerini, Jean Paul (ISS EMEA)
Subject: Adv RSSP students guide
Reading Adv RSSP students guide (05/23/03) on p. 79 within server sensor
data path explanation I've found interesting phrase:
'Unlike Network Sensor, Server sensor allows events to match more than
one
signature at a time.' Does it mean that in case of RNE one packet can
trigger only one signature if matches? As I can see in SP Console it
isn't
so, and it's QUITE RIGHT. But if it's so and I've understood this
correctly
it is awfully, because it presumes to intruder to hide really important
events among informationl ones and so pass over IDS. Early versions of
Snort had such vulnerability, but it was corrected a long time ago. Is
it
so? Please, let me know.
Good luck!
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
---------------------------------------------------------------
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50 (1613)
Chris Norris/AMIG
<CNorris@amig.com> To: <ISSForum@iss.net>
Sent by: cc:
issforum-bounces@iss.net Subject: [ISSForum] Event/Rule
Precedence
23.02.2005 23:04
I have a question concerning the creation of "custom" event such as "User
Defined"and "Connection" type events. If a single packet matches criteria
for and XPU signature, and a user defined event, and a connection event
what will it be displayed as in the Sensor Analysis tab. Will only 1 of
those be selected based on some order of processing or will it show up 3
times. My concern is that writing broad type of connection event might mask
more serious events if they only display 1 time.
Regards,
Chris Norris
American Modern Insurance Companies
Sr. Security Engineer
IS Risk and Security Management
7000 Midland Blvd.
Amelia, OH 45102
Ph: 513-947-5454
email: cnorris@amig.com
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
