RE: Views and Correlation in Intrusion Detection

>>To be really effective, I'd like to see a system that looks at packets
>>coming in to the network, compares those to packets hitting specific
>>servers, "knows" if the server is vulnerable to the specific attack and
>>*then* sends an alert.

I dont know how _well_ it works, but if your an ISS shop then SiteProtector/Fusion is supposed to do this now. So is nCircle's IP360. Granted, this is a far cry from a universal management console with the logic to do this between products from multiple vendors. Nor are they cheap. But if you have all the products from one the same company this integration seems on the horizon, with several vendors working on it - so if it doesnt work well yet it should soon. (laughter)

If you want the whole enchilada, and have the $$, there are a slew of Security Log Managers or <insert marking phrase name here> that are attempting to do this. Arcsight, intellitactics, Micromuse, e-Security, netforensics, and Open are vendors, to name a few at random, that have products that will take all of your data, put it into a uniform format, and apply correlation rules for you. The quality of this varies a lot between products, and seems related to price. Some of the products consider correlation to be simply noting that messages from two disparate logs have the same IP (src or dst). Other products have a more detailed correlation rule set engine, allowing you to say "IF events X, Y, and Z, but NOT A and from subnet 1.2.3.255 THEN generate alert Meta1." These later products often come with large pre-programmed generic rules to attempt and catch some common patterns. The ability to integrate IDS data and vulnerability scan data is lacking in most of these.

$0.02
-Tom

-----Original Message-----
From: Paul Schmehl [mailto:pauls@utdallas.edu] Sent: Monday, June 23, 2003 4:26 PM
To: adam.w.hogan; Focus-Ids (E-mail)
Subject: Re: Views and Correlation in Intrusion Detection

How about a "user's" POV?

To be really effective, I'd like to see a system that looks at packets coming in to the network, compares those to packets hitting specific servers, "knows" if the server is vulnerable to the specific attack and *then* sends an alert.

To do this kind of work you would need:
1) a db (A) with the info on each server - OS, applications, vulnerabilities, etc.
2) a detection engine that matches the IP and attack sig to the entry in the db (A) with its own db (B) of sigs
3) an escalation procedure that recognizes that attack A was successful and attack B has begun and therefore alerts "more aggressively".

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I don't want to know if an attacker is trying an overflow attack on my IMAP server if my IMAP server isn't vulnerable to that attack. I could care less. I also don't want to know if some box somewhere with Code Red is hitting my network *unless* I have a box that's susceptible to Code Red.

So it takes a combination of knowledge to alert "intelligently". 1) What is the attack? 2) Is the box vulnerable to that attack? 3) Did the attack reach that box? 4) Was the attack successful?

--On Monday, June 23, 2003 02:25:40 PM -0400 "adam.w.hogan" <adam.w.hogan@delphi.com> wrote:

> It seems to me that this thread and the 'IDS is dead, etc' thread are
> both coming to same conclusions.  Namely, much more work/research needs
> to be done in event correlation to efficiently, and effectively, use an
> IDS.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

---
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's
to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
----------------------------------------------------------------------------
---

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------