Hosting Provided By

Re: IDS is dead, etc

From: David W. Goodrum <dgoodrum(at)nfr.com>
Date: Tue Aug 05 2003 - 13:11:37 EDT

I realize we're mostly talking about Snort here, but NFR implemented a passive finger printer in it's 3.2 version of the NID (released earlier this year). We use it for two main reasons:

One, provide the customer with more information (i.e. I see nimda alerts, but it also says that the dest OS is RedHat, therefore the end user can ignore it).

Two, we use it for fragmentation re-assembly, so that we can re-assemble fragmented attacks using the same method as the victim OS. There's more info on our website if you're interested.

Regarding application fingerprinting, our WWW package does offer the ability to detect what the destination server "says" it is, and alert appropriately. i.e. don't alert on iis attacks against apache servers.

Additionally, we _can_ fingerprint the sources application by looking at the User Agent field. This might be helpful if you're getting potential false positives, you can identify whether they come from a legitimate browser, or from somebody using netcat (which would not supply a user agent field unless the netcat user manually entered it.)

-dave

Burak DAYIOGLU wrote:
> On Sun, 2003-06-22 at 18:44, Martin Roesch wrote:

>>>I would love to see a fingerprinting tool that identified the client and
>>>server Operating System / Application and reduced the priority of alerts
>>>for false positives when it is known that the system is not vulnerable.
>>>The alerts still flag, so we see the drive-by-shootings, but as their
>>>priority is reduced they are less significant.
>>>
>>>Anyone got any development ideas on this front?
>>
>>I'm working on just such a program/product called RNA (Real-time Network
>>Awareness) right now, we've got a press release outlining the technology
>>(which isn't available yet) on the Sourcefire web site.  I'll spare everyone
>>the marketing here, if anyone wants more information just drop me an email.

>
>
> I have had implemented such an extension, as Giles refer, in 2001 to

-- 
David W. Goodrum
Senior Systems Engineer
NFR Security
Mobile: 703.731.3765
Office: 240.747.3425


---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: 
http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Received on Tue Aug 5 14:15:09 2003

Do you need help?

This message: [ Message body ]
Next message: Lodin, Steven {DI~Basel Dia}: "RE: Evaluation/Reviews of COTS and GOTS products (open source too)"
In reply to Burak DAYIOGLU: "Re: IDS is dead, etc"
Next in thread: Paul Schmehl: "Re: IDS is dead, etc"
Reply: Paul Schmehl: "Re: IDS is dead, etc"
Reply: Thomas Munn: "Re: IDS is dead, etc--Only if you limit your Horizons"
Reply: Tom Arseneault: "RE: IDS is dead, etc"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT