Hosting Provided By

RE: IDS is dead, etc

From: Tom Arseneault <TArseneault(at)counterpane.com>
Date: Thu Aug 07 2003 - 15:00:31 EDT

My point was "In a perfect world with unlimited resources" monitoring for all types of attacks, whether or not your vulnerable, gives you a good indicator of who your enemies are and what they are doing. And I agree that in most cases this is not pratical, not enough people, money, or compute resource, but that does not mean it's a bad idea.

Also signatures are not perfect, there might be two closely releated vulnerabilities one being patch the other not which could match the same signature and if you ignor the signature because you think your patched you could be wrong. No, I can't think of any examples but since his was a "philosophical question" and not a specific point I felt it was valid to stretch the bounds of probability a bit.

Here is my overall IDS opinion (mentioned just so I can get feed back as to how close/far from the mark I am) an external (outside the firewall) NIDS system that just logs, only used to give general attack trends but does not give alerts, and internal NIDS systems at strategic locations to closely monitor the important systems which do give alerts. Of course generous amounts of HIDS and other technology sprinkled along the way to round out the package.

Sorry about leaving out the "In a perfect world with unlimited resources" part, it may have made my original post more in line with others thinking.

Thomas J. Arseneault
Security Engineer
Counterpane Internet Security
tarseneault@counterpane.com

-----Original Message-----
From: Mark Tinberg [mailto:mtinberg@securepipe.com] Sent: Wednesday, August 06, 2003 4:38 PM To: Tom Arseneault
Cc: 'Paul Schmehl'; focus-ids@securityfocus.com Subject: RE: IDS is dead, etc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 6 Aug 2003, Tom Arseneault wrote:

Do you need help?

> My $.02 worth...

I don't think inflation has driven up the price of my opinions so far yet 8^)

> Any particular Nimda attack if your patched does'nt mean anything, however

I'm not sure how relevant this really is. If you are patched against the vulnerability then you are patched, it doesn't matter if a new variant is released that exploits the same vulnerability. A new worm exploiting a new vulnerability is a different story but hopefully you'd have a seperate or a more generic sig to detect this. I don't know how often it would be that a new worm exploiting a new vulnerability would match the signature in your IDS sensor for an old vuln such as is exploited by CR/Nimda.

In fact, just limiting ourselves to CR/Nimda, it shouldn't be too difficult to limit the match to just internal->internal traffic which is the most effective way to detect an old, unpatched and infected host on your network. The attack vector and propegation methods of CR/Nimda are widly known, and completely uninteresting if you are not vulnerable.

I think what we have here though are different perspectives borne of different needs and different sensor layouts. I would imagine that even if there were sensors on every subnet of UT Dallas that wouldn't be enough coverage to really determine the attack trends for the Internet at large. That's probably different from your setup, as an MSSP you have access to sensors all over the place, so would have more data to go on when determining wider trends.

> -----Original Message-----

-- Mark Tinberg <MTinberg@securepipe.com> Network Security Engineer, SecurePipe Inc. New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1 16EE C5E4 E523 6C67 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/MZ9+Fu7F5OUjbGcRAqbOAKCiDhAnpW1Xmg3IP5+jUViTxYgwjgCcCbNk MNCc2TYWxNOGmCnCzKXzoaw=
=bz2B
-----END PGP SIGNATURE-----

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping

Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
Automatically Control P2P, IM and Spam Traffic
Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping

Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
Automatically Control P2P, IM and Spam Traffic
Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

Received on Thu Aug 7 16:23:57 2003

Do you need more help?

This message: [ Message body ]
Next message: Sebastian Schneider: "Re: IDS is dead, etc"
Previous message: Bob Walder: "New independent IDS test reports"
Maybe in reply to: Martin Roesch: "IDS is dead, etc"
In reply to Mark Tinberg: "RE: IDS is dead, etc"
Next in thread: Sebastian Schneider: "Re: IDS is dead, etc"
Reply: Sebastian Schneider: "Re: IDS is dead, etc"
Reply: Barry Fitzgerald: "Re: IDS is dead, etc"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT