Re: IDS is dead, etc

[Martin Roesch <roesch () sourcefire com>]

On 6/19/03 6:52 PM, "Giles Coochey" <giles () coochey net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 19 June 2003 4:57 pm, Martin Roesch wrote:
>
> > So, is there any way to make the quality of data coming out of the IDS
> > higher while at the same time diminishing the amount of information
> > generated?  We've been talking about this exact topic on this list since
> > 1999 on and off and I think all the IDS vendors have ideas how to
> > achieve this goal by integrating network maps and host/service
> > identification into the IDS's world view.  If those ideas should
> > actually make their way to market, would that make the systems more
> > useful?  I believe so.  (At this point I usually pitch Sourcefire, but
> > I'll spare you all.)
>
> I would love to see a fingerprinting tool that identified the client and
> server Operating System / Application and reduced the priority of alerts
> for false positives when it is known that the system is not vulnerable.
> The alerts still flag, so we see the drive-by-shootings, but as their
> priority is reduced they are less significant.
>
> Anyone got any development ideas on this front?

I'm working on just such a program/product called RNA (Real-time Network
Awareness) right now, we've got a press release outlining the technology
(which isn't available yet) on the Sourcefire web site.  I'll spare everyone
the marketing here, if anyone wants more information just drop me an email.

> There are some GPLd passive fingerprinting tools available, as well as
> nmap's database that can supply code to be integrated here. I would also love
> to see an snort Ethereal plugin as I regularly take a raw packet dump of our
> traffic and inspect it.

You could do this sort of thing by tying a bunch of open source tools
together (nmap, p0f, nessus, xprobe, etc), although the efficiency of the
solution would depend on how many man hours you'd want to put into it.

[snip] 

> Snort is very much the "grep" tool of the network and a little more, any
> network admin who doesn't do the occassional packet dump of their
> ingress/egress traffic and inspect it manually is a fool, snort and other
> NIDS simply try to help in that process.

I'd argue that Snort is a lot more than network grep, but I'm biased. :)
Anyone noticed the more advanced stuff you can do with Snort 2.0 rules yet?
Here's an example:

alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 \
(msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; \
flow:to_server,established; \
content:"|00 01 86 E4|"; \
content:"|00 00 00 15|"; distance:4; within:4; \
byte_jump:4,12,relative,align; \
byte_test:4,>,1024,20,relative; \
reference:cve,CVE-1999-0696; \
reference:bugtraq,524; \
classtype:attempted-admin; sid:1908; rev:3;)


    -Marty

-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------