RE: IDS is dead, etc

[Mark Tinberg <mtinberg () securepipe com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 6 Aug 2003, Tom Arseneault wrote:

> My $.02 worth...

I don't think inflation has driven up the price of my opinions so far yet
8^)

> Any particular Nimda attack if your patched does'nt mean anything, however
> if the volumn of attacks rise sharply in a short time period it's time to
> research as to why is going up: are you the only one seeing it? Is it a
> general rise in volumn for the Internet as a whole? Is part of a signature
> of some new vulnerability? That is why you care even if your patched.

I'm not sure how relevant this really is.  If you are patched against the
vulnerability then you are patched, it doesn't matter if a new variant
is released that exploits the same vulnerability.  A new worm exploiting a
new vulnerability is a different story but hopefully you'd have a seperate
or a more generic sig to detect this.  I don't know how often it would be
that a new worm exploiting a new vulnerability would match the signature
in your IDS sensor for an old vuln such as is exploited by CR/Nimda.

In fact, just limiting ourselves to CR/Nimda, it shouldn't be too
difficult to limit the match to just internal->internal traffic which is
the most effective way to detect an old, unpatched and infected host on
your network.  The attack vector and propegation methods of CR/Nimda are
widly known, and completely uninteresting if you are not vulnerable.

I think what we have here though are different perspectives borne of
different needs and different sensor layouts.  I would imagine that even
if there were sensors on every subnet of UT Dallas that wouldn't be enough
coverage to really determine the attack trends for the Internet at large.
That's probably different from your setup, as an MSSP you have access to
sensors all over the place, so would have more data to go on when
determining wider trends.


> -----Original Message-----
> From: Paul Schmehl [mailto:pauls () utdallas edu]
>
> --On Tuesday, August 05, 2003 13:11:37 -0400 "David W. Goodrum"
> <dgoodrum () nfr com> wrote:
> >     One, provide the customer with more information (i.e. I see nimda
> > alerts, but it also says that the dest OS is RedHat, therefore the end
> > user can ignore it).
>
> This brings up what I guess is a philosophical question.  Why would you
> want to know about Nimda attacks against your servers?  If you're properly
> secured, they won't have any effect.  And if you're not, you'll know about
> them soon enough.
>
> I've altered all these types of rules to alert me when a host *inside* our
> network is infected.  Now *that* I want to know about.  To me, Nimda/Code
> Red/Slammer attacks from the outside are just part of the background noise
> of the Internet.

- -- 
Mark Tinberg <MTinberg () securepipe com>
Network Security Engineer, SecurePipe Inc.
New Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE/MZ9+Fu7F5OUjbGcRAqbOAKCiDhAnpW1Xmg3IP5+jUViTxYgwjgCcCbNk
MNCc2TYWxNOGmCnCzKXzoaw=
=bz2B
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------