IDS mailing list archives
Re: Views and Correlation in Intrusion Detection
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Tue, 17 Jun 2003 17:31:26 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DAVID MARKLE writes:
An IDS alert is ONLY relevant if the firewall permits the traffic through. To further the comment, and attack signature tripped for (known attack) xyz, is ONLY relevant when the attacked host is vulnerable to xyz. This is the ultimate job of correlation. If the above surrounding conditions are true, the severity of the attack becomes increased to critical, otherwise it is informational only.
I disagree. If you see six packets from a single source and five of them match five discrete attack signatures and your NIDS doesn't tell you anything about the sixth, the smart money says that someone just tried five attacks you know about and one you don't. If you're ignoring the five (because you know you're safe from them), you just missed the sixth (which is the one you're going to get paged about a couple hours later)[0]. If you're about to suggest that disambiguating this sort of situation isn't something that most NIDS products do well (or, indeed, at all), ya got me there. But, alas, we have not yet found a way to convince the blackhats to only attack us in such ways as we find convienient to monitor[1]. The question you've got to ask yourself is what your NIDS is there for: to behave such that it does not inconvienience your incident analysts, or to behave in such a way as to catch the maximum number of bad guys[2]. - -spb - ----- 0 Random aside: try to express what I've just described using the IDMEF. 1 Certainly not in the general case. Honeynets and such things undoubtedly work for some situations. 2 Of course this is a min/max problem, and neither extreme is optimal. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE+77LKG3kIaxeRZl8RAsZkAKCNkPAuIk8PwHWWyyTFGL97g/28VQCghDsJ ufkLX5efYFmRWacwHCtUKQ8= =cRIB -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Views and Correlation in Intrusion Detection Blake Matheny (Jun 17)
- RE: Views and Correlation in Intrusion Detection Jim Butterworth (Jun 17)
- Re: Views and Correlation in Intrusion Detection SecurIT Informatique Inc. (Jun 17)
- <Possible follow-ups>
- Re: Views and Correlation in Intrusion Detection DAVID MARKLE (Jun 17)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
- RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)