IDS mailing list archives
RE: Views and Correlation in Intrusion Detection
From: "Scott M. Algatt" <salgatt () turtleshell net>
Date: Wed, 25 Jun 2003 09:53:43 -0400 (EDT)
I know that someone is doing something like this already. They are a third party plug-in to CheckPoint called ipangel. Their software scans the network and updates it's database and waits. If I remember it dynamically creates rules for your network. If you have an Apache web server then it disables all the IIS rules going to that web server. It has been awhile since I looked at their software but feel free to do some reading: http://www.lucidsecurity.com/ Regards, Scott M. Algatt Behold the turtle. He makes progress only when he sticks his neck out. On Tue, 24 Jun 2003, Schmehl, Paul L wrote:
-----Original Message----- From: adam.w.hogan [mailto:adam.w.hogan () delphi com] Sent: Tuesday, June 24, 2003 7:24 AM To: Focus-Ids (E-mail) Cc: Schmehl, Paul L Subject: RE: Views and Correlation in Intrusion Detection Then you may be in luck, there are a number of companies working on a solution like this. Actually, one week I heard the same presentation about this very idea from three different vendors - this idea's quite the buzz-word right now. I'll warn you, it may be awhile before any of these products are reasonably priced. I am looking forward to hearing more about Sourcefire's RNA, though.I am as well. And I really think this is a *necessity* if most of us are going to be truly effective.I feel differently, if anybody is on my network trying to use /any/ exploit /anywhere/ I'd like to know about it. Especially on the inside. Perhaps there's a difference between trying to follow this data for a large company than a university?I can't really say, since all my experience is in edu. I *can* tell you that the amount of attacks we see is so high that it rapidly becomes noise. That's why I'm so anxious to see correlation between attacks and boxes that are vulnerable to those attacks. The rest is really "noise" AFAIC. I don't have time to follow up on stuff that doesn't actually compromise a box.The most prominent reason that I don't consider this solution, however, is that it would be ridiculously difficult, if not impossible, to identify every server on the network here. I don't even know how many servers we have, let alone what OS, patch level, and services they have. There are tools being developed to passively scan the network and try to determine these things, but the ones I've seen cost a small fortune.Nmap is your friend. Just scan the network. If port 80 is open, it's a web server. Doesn't matter if it's *supposed* to be, it is. That's how I identify our major services - web, ms-sql, mysql, mail, etc. Then I start contacting owners - did you know you were running a service? Did you know that that service is vulnerable? Did you know that we'll take you off the network if it stays vulnerable? I scan *weekly* for SQL Slammer vulnerabilities, open NetBIOS shares and "standard" services (web, mail, databases, etc.)(Sorry if I come off as ranting, just trying to chip away at the issue so we can start to tackle smaller bits. Thanks to everybody has, and will, contribute to the discussion - your ideas are very helpful.)Not ranting at all. The problem in large network security is information overload. The solution *has* to be some "intelligent" software that sorts through the bits and reports what *really* matters - *really* being defined by the security specialist whose network is being monitored. (As you've acknowledged, what matters to you may not matter to me, and vice versa.) Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Re: Views and Correlation in Intrusion Detection, (continued)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
- RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 18)
- Re: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 23)
- Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- Re: Views and Correlation in Intrusion Detection Randy Taylor (Jun 23)
- RE: Views and Correlation in Intrusion Detection adam.w.hogan (Jun 25)
- RE: Views and Correlation in Intrusion Detection Schmehl, Paul L (Jun 25)
- RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 25)
- Re: Views and Correlation in Intrusion Detection Mike Coliton (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sakaba (Jun 26)
- RE: Views and Correlation in Intrusion Detection Kohlenberg, Toby (Jun 26)
- RE: Views and Correlation in Intrusion Detection Chmielarski TOM-ATC090 (Jun 26)
- RE: Views and Correlation in Intrusion Detection Sekurity Wizard (Jun 26)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 27)
- RE: Views and Correlation in Intrusion Detection Ron Gula (Jun 26)
- RE: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 27)
- RE: Views and Correlation in Intrusion Detection Richard Ginski (Jun 27)