Hosting Provided By

Re: IDS is dead, etc

From: Barry Fitzgerald <bkfsec(at)sdf.lonestar.org>
Date: Thu Aug 07 2003 - 16:49:10 EDT

Tom Arseneault wrote:

>Also signatures are not perfect, there might be two closely releated

I can think of two examples of signatures that we're patched against here that I'd still want to see:

The latest RPC DCOM signature for my IDS. All of our systems are patched here. However, as has been shown recently, under certain circumstances the Microsoft RPC patch will keep a system from being compromised, but the exploit will still cause instability in any given system. In this case, I absolutely want to know if packets containing this exploit come down the line, even though I'm already patched.
Code Red II. Are Code Red II signature hits interesting? No - not at all. I know we're patched and I have yet to see a system in our network actually sending the worm. However, the majority of signatures tripped by Code Red II on my system are for attempted cmd.exe access. I use the Code Red II root.exe signatures on my IDS to correlate these cmd.exe attacks with a known infected Code Red box.

So, these two real world examples show how signatures that may generate normally "uninteresting" traffic data can produce interesting correlation data or interesting data in the event of other problems.

Until someone comes out with an IDS signature format with more than one level and with intercorrelated reporting, uninteresting events will continue to generate interesting side-analysis. :)

Oh yes, and someone (perhaps tongue-in-cheek) mentioned that a properly configured firewall removes the need for an NIDS. I have to chime in and say that I couldn't possibly disagree more. If you were joking, then I apologize for misunderstanding you. However, having a firewall - no matter how rock solid and perfect it is - is only a portion of a good network security infrastructure.

Just my $0.02 ...

Do you need help?

-Barry

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping

Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
Automatically Control P2P, IM and Spam Traffic
Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm

Received on Thu Aug 7 17:53:58 2003

This message: [ Message body ]
Next message: alaric(at)alaricsecurity.com: "Re: IDS is dead, etc--Only if you limit your Horizons"
Previous message: Sebastian Schneider: "Re: IDS is dead, etc"
In reply to Tom Arseneault: "RE: IDS is dead, etc"
Next in thread: Bennett Todd: "Re: IDS is dead, etc"
Reply: Bennett Todd: "Re: IDS is dead, etc"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:16 EDT