IDS mailing list archives
RE: Views and Correlation in Intrusion Detection
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Tue, 24 Jun 2003 11:54:16 -0500
-----Original Message----- From: adam.w.hogan [mailto:adam.w.hogan () delphi com] Sent: Tuesday, June 24, 2003 7:24 AM To: Focus-Ids (E-mail) Cc: Schmehl, Paul L Subject: RE: Views and Correlation in Intrusion Detection Then you may be in luck, there are a number of companies working on a solution like this. Actually, one week I heard the same presentation about this very idea from three different vendors - this idea's quite the buzz-word right now. I'll warn you, it may be awhile before any of these products are reasonably priced. I am looking forward to hearing more about Sourcefire's RNA, though.
I am as well. And I really think this is a *necessity* if most of us are going to be truly effective.
I feel differently, if anybody is on my network trying to use /any/ exploit /anywhere/ I'd like to know about it. Especially on the inside. Perhaps there's a difference between trying to follow this data for a large company than a university?
I can't really say, since all my experience is in edu. I *can* tell you that the amount of attacks we see is so high that it rapidly becomes noise. That's why I'm so anxious to see correlation between attacks and boxes that are vulnerable to those attacks. The rest is really "noise" AFAIC. I don't have time to follow up on stuff that doesn't actually compromise a box.
The most prominent reason that I don't consider this solution, however, is that it would be ridiculously difficult, if not impossible, to identify every server on the network here. I don't even know how many servers we have, let alone what OS, patch level, and services they have. There are tools being developed to passively scan the network and try to determine these things, but the ones I've seen cost a small fortune.
Nmap is your friend. Just scan the network. If port 80 is open, it's a web server. Doesn't matter if it's *supposed* to be, it is. That's how I identify our major services - web, ms-sql, mysql, mail, etc. Then I start contacting owners - did you know you were running a service? Did you know that that service is vulnerable? Did you know that we'll take you off the network if it stays vulnerable? I scan *weekly* for SQL Slammer vulnerabilities, open NetBIOS shares and "standard" services (web, mail, databases, etc.)
(Sorry if I come off as ranting, just trying to chip away at the issue so we can start to tackle smaller bits. Thanks to everybody has, and will, contribute to the discussion - your ideas are very helpful.)
Not ranting at all. The problem in large network security is information overload. The solution *has* to be some "intelligent" software that sorts through the bits and reports what *really* matters - *really* being defined by the security specialist whose network is being monitored. (As you've acknowledged, what matters to you may not matter to me, and vice versa.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: Views and Correlation in Intrusion Detection, (continued)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
- RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)
- Re: Views and Correlation in Intrusion Detection Mike Coliton (Jun 26)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 27)
- RE: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 27)