Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] New idea in change tracking for nets

from [Brian Howard] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] New idea in change tracking for nets
Date: Wed, 01 Sep 2004 03:06:32 -0500
Further (party pooper mode) aren't you getting a little into 'mission creep'?
Its only normal thing, but IDS should be "intrusion" detection, not detecting normal SOP
changes to infrastructure. Sure, you *can* do that but one would hope that
your normal change control process would have a feedback loop in the process
to accomidate that need. I am speaking from the standpoint of a 24/7 global
operation with strict change control process where such occurs only twice
a week (and flexible enough to realistically admit that sometimes its hard to
tell the difference daily in the amount of traffic from emergency changes and scheduled).
(Yes, unlike many others we officially do stuff twice a week instead of twice a month....!)

The mission of IDS should be to detect and react to abnormal, not to validate and
manage SOP.



Frank Knobbe wrote:

On Tue, 2004-08-31 at 22:49, Matt Jonkman wrote:


A new idea came our way to augment an organization's change control measures. We're writing signatures to track when devices on the network have config changes made remotely.

First step is routers and switches. Most are managed via telnet (even though ssh is better), and the configuration modes are easily recognizable.



Why do you need signatures for that? Can't normal profiling identify
configuration/telnet attempts? When we profile networks, we construct a
behavior matrix of what is normal and expected traffic, and alert on
abnormal conditions. Such abnormal condition could be telnet access into
a device from an non-authorized IP. That can be caught without a content
based signature, and is therefore more flexible.

Further, why would you want to alert when a user has successfully
authenticated to a network component? Wouldn't you want to watch for
failed logon attempts instead of successful logons?

Another advantage in going the signature-less way is that you don't have
to assemble a ton of sigs for known devices (which still leaves the
unknown, or lesser known, devices out in the dark, such as an old
Wellfeet router or *gasp* a Motorola router, or something ...uhm...
antique. How about Ascend Pipelines? No wait, let me get a catalog and
inventory a comprehensive list of manufacturers first... :)

And then if you do have a signature set, you need to keep it maintained
as it can changed after firmware upgrades. 

Before I sound too much of a party-pooper, I'll just leave with the
excuse of playing devils advocate. :)

Regards,
Frank



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Bleedingsnort.com Daily Update, Hugo van der Kooij
Next by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, matt
Previous by Thread:  Re: [Snort-sigs] New idea in change tracking for nets, Frank Knobbe
Next by Thread:  Re: [Snort-sigs] New idea in change tracking for nets, Matt Jonkman
Indexes:  [Date] [Thread] [Top] [All Lists]