IDS mailing list archives
Re: IDS is dead, etc
From: Martin Roesch <roesch () sourcefire com>
Date: Sun, 22 Jun 2003 11:44:44 -0400
On 6/19/03 6:52 PM, "Giles Coochey" <giles () coochey net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 19 June 2003 4:57 pm, Martin Roesch wrote:So, is there any way to make the quality of data coming out of the IDS higher while at the same time diminishing the amount of information generated? We've been talking about this exact topic on this list since 1999 on and off and I think all the IDS vendors have ideas how to achieve this goal by integrating network maps and host/service identification into the IDS's world view. If those ideas should actually make their way to market, would that make the systems more useful? I believe so. (At this point I usually pitch Sourcefire, but I'll spare you all.)I would love to see a fingerprinting tool that identified the client and server Operating System / Application and reduced the priority of alerts for false positives when it is known that the system is not vulnerable. The alerts still flag, so we see the drive-by-shootings, but as their priority is reduced they are less significant. Anyone got any development ideas on this front?
I'm working on just such a program/product called RNA (Real-time Network Awareness) right now, we've got a press release outlining the technology (which isn't available yet) on the Sourcefire web site. I'll spare everyone the marketing here, if anyone wants more information just drop me an email.
There are some GPLd passive fingerprinting tools available, as well as nmap's database that can supply code to be integrated here. I would also love to see an snort Ethereal plugin as I regularly take a raw packet dump of our traffic and inspect it.
You could do this sort of thing by tying a bunch of open source tools together (nmap, p0f, nessus, xprobe, etc), although the efficiency of the solution would depend on how many man hours you'd want to put into it. [snip]
Snort is very much the "grep" tool of the network and a little more, any network admin who doesn't do the occassional packet dump of their ingress/egress traffic and inspect it manually is a fool, snort and other NIDS simply try to help in that process.
I'd argue that Snort is a lot more than network grep, but I'm biased. :) Anyone noticed the more advanced stuff you can do with Snort 2.0 rules yet? Here's an example: alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 \ (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; \ flow:to_server,established; \ content:"|00 01 86 E4|"; \ content:"|00 00 00 15|"; distance:4; within:4; \ byte_jump:4,12,relative,align; \ byte_test:4,>,1024,20,relative; \ reference:cve,CVE-1999-0696; \ reference:bugtraq,524; \ classtype:attempted-admin; sid:1908; rev:3;) -Marty -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- IDS is dead, etc Martin Roesch (Jun 19)
- RE: IDS is dead, etc Roger A. Grimes (Jun 22)
- Re: IDS is dead, etc Lance Spitzner (Jun 22)
- Re: IDS is dead, etc Martin Roesch (Jun 22)
- Re: IDS is dead, etc Dragos Ruiu (Jun 23)
- Re: IDS is dead, etc Martin Roesch (Jun 22)
- Re: IDS is dead, etc roy lo (Jun 22)
- <Possible follow-ups>
- Re: IDS is dead, etc broyds (Jun 22)
- Re: IDS is dead, etc belka (Jun 22)
- Re: IDS is dead, etc Martin Roesch (Jun 22)
- RE: IDS is dead, etc Craig H. Rowland (Jun 23)
- RE: IDS is dead, etc Paul Schmehl (Jun 25)
- RE: IDS is dead, etc Craig H. Rowland (Jun 25)
- RE: IDS is dead, etc Ron Gula (Jun 25)
- RE: IDS is dead, etc Craig H. Rowland (Jun 23)
- Re: IDS is dead, etc Andrew Plato (Jun 25)