IDS mailing list archives

Re: Views and Correlation in Intrusion Detection

From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Tue, 17 Jun 2003 17:31:26 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


DAVID MARKLE writes:

An IDS alert is ONLY relevant if the 
firewall permits the traffic through.  To further the comment, and 
attack signature tripped for (known attack) xyz, is ONLY relevant when 
the attacked host is vulnerable to xyz.  This is the ultimate job of 
correlation.  If the above surrounding conditions are true, the 
severity of the attack becomes increased to critical, otherwise it is 
informational only.


I disagree.  If you see six packets from a single source and five of them
match five discrete attack signatures and your NIDS doesn't tell you
anything about the sixth, the smart money says that someone just tried
five attacks you know about and one you don't.  If you're ignoring the
five (because you know you're safe from them), you just missed the sixth
(which is the one you're going to get paged about a couple hours later)[0].

If you're about to suggest that disambiguating this sort of situation
isn't something that most NIDS products do well (or, indeed, at all),
ya got me there.  But, alas, we have not yet found a way to convince
the blackhats to only attack us in such ways as we find convienient
to monitor[1].  The question you've got to ask yourself is what your
NIDS is there for:  to behave such that it does not inconvienience your
incident analysts, or to behave in such a way as to catch the maximum
number of bad guys[2].







- -spb

- -----
0       Random aside:  try to express what I've just described using the
        IDMEF.
1       Certainly not in the general case.  Honeynets and such things
        undoubtedly work for some situations.
2       Of course this is a min/max problem, and neither extreme is
        optimal.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE+77LKG3kIaxeRZl8RAsZkAKCNkPAuIk8PwHWWyyTFGL97g/28VQCghDsJ
ufkLX5efYFmRWacwHCtUKQ8=
=cRIB
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Current thread:

Views and Correlation in Intrusion Detection Blake Matheny (Jun 17)
- RE: Views and Correlation in Intrusion Detection Jim Butterworth (Jun 17)
- Re: Views and Correlation in Intrusion Detection SecurIT Informatique Inc. (Jun 17)
- <Possible follow-ups>
- Re: Views and Correlation in Intrusion Detection DAVID MARKLE (Jun 17)
  - Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
    - RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
    - Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
    - Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
    - Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
    - RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 18)
- Re: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 23)
  - Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- Re: Views and Correlation in Intrusion Detection Randy Taylor (Jun 23)
- RE: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 25)

(Thread continues...)