IDS mailing list archives

RE: Views and Correlation in Intrusion Detection

From: "Rob Shein" <shoten () starpower net>
Date: Thu, 19 Jun 2003 19:53:32 -0400

Actually, smart money says you need to look at the sixth packet before
deciding.  It could be a probe for the existence of the service that was
potentially vulnerable to the other five attacks, a borked attempt at one of
the other five attacks, or just a continuation of one of the other five
attacks (lets say, for example, that the attacker is on a DSL line, and
therefore has an MTU of about 1490).  This is one of the things that makes
correlation so tricky...you've got to have eyes on the data to be able to
draw conclusions.  I'd say that of all the possible things I can think of,
though, an unknown attack is the least likely scenario in this case.

-----Original Message-----
From: Stephen P. Berry [mailto:spb () meshuggeneh net] 
Sent: Tuesday, June 17, 2003 8:31 PM
To: DAVID MARKLE
Cc: Blake Matheny; focus-ids () securityfocus com; spb () meshuggeneh net
Subject: Re: Views and Correlation in Intrusion Detection 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


DAVID MARKLE writes:

An IDS alert is ONLY relevant if the
firewall permits the traffic through.  To further the comment, and 
attack signature tripped for (known attack) xyz, is ONLY

relevant when

the attacked host is vulnerable to xyz.  This is the ultimate job of 
correlation.  If the above surrounding conditions are true, the 
severity of the attack becomes increased to critical,

otherwise it is

informational only.


I disagree.  If you see six packets from a single source and 
five of them match five discrete attack signatures and your 
NIDS doesn't tell you anything about the sixth, the smart 
money says that someone just tried five attacks you know 
about and one you don't.  If you're ignoring the five 
(because you know you're safe from them), you just missed the 
sixth (which is the one you're going to get paged about a 
couple hours later)[0].

If you're about to suggest that disambiguating this sort of 
situation isn't something that most NIDS products do well 
(or, indeed, at all), ya got me there.  But, alas, we have 
not yet found a way to convince the blackhats to only attack 
us in such ways as we find convienient to monitor[1].  The 
question you've got to ask yourself is what your NIDS is 
there for:  to behave such that it does not inconvienience 
your incident analysts, or to behave in such a way as to 
catch the maximum number of bad guys[2].







- -spb

- -----
0     Random aside:  try to express what I've just described using the
      IDMEF.
1     Certainly not in the general case.  Honeynets and such things
      undoubtedly work for some situations.
2     Of course this is a min/max problem, and neither extreme is
      optimal.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE+77LKG3kIaxeRZl8RAsZkAKCNkPAuIk8PwHWWyyTFGL97g/28VQCghDsJ
ufkLX5efYFmRWacwHCtUKQ8=
=cRIB
-----END PGP SIGNATURE-----

--------------------------------------------------------------
-----------------
Attend the Black Hat Briefings & Training, July 28 - 31 in 
Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 
training sessions, 
1,800 delegates from 30 nations including all of the top 
experts, from CSO's to 
"underground" security specialists.  See for yourself what 
the buzz is about!  
Early-bird registration ends July 3.  This event will sell 
out. www.blackhat.com
--------------------------------------------------------------
-----------------



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Current thread:

Views and Correlation in Intrusion Detection Blake Matheny (Jun 17)
- RE: Views and Correlation in Intrusion Detection Jim Butterworth (Jun 17)
- Re: Views and Correlation in Intrusion Detection SecurIT Informatique Inc. (Jun 17)
- <Possible follow-ups>
- Re: Views and Correlation in Intrusion Detection DAVID MARKLE (Jun 17)
  - Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
    - RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
    - Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
    - Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
    - Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
    - RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 18)
- Re: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 23)
  - Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- Re: Views and Correlation in Intrusion Detection Randy Taylor (Jun 23)
- RE: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 25)
- RE: Views and Correlation in Intrusion Detection Schmehl, Paul L (Jun 25)
  - RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 25)
  - Re: Views and Correlation in Intrusion Detection Mike Coliton (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sakaba (Jun 26)

(Thread continues...)