IDS mailing list archives
RE: Rather funny; looks like page defacement to me
From: "Roger A. Grimes" <rogerg () cox net>
Date: Sat, 14 Jun 2003 22:38:13 -0400
Without getting into the very large issues that IDSs usually surround, I've found a few instances with IDSs were the best solution. 1. I was at a client the day the BugBear worm broke loose. Coincidentally, their printers were printing up a lot of garbage that day. One of the side effects of BugBear is that it accidentally trys to infect printer shares (while trying to infect drive shares). This results in printer garbage and locked up printers. Had Bugbear gotten past the client's normal security defenses and AV software. I mean, AV software doesn't run on HP LaserJets and AV software wouldn't go off unless the worm was successful in penetrating a weak drive share password. I fired up Snort, googled a Bugbear signature, and waited. No alerts. A few hours later we tracked the problem to a single buggy printer driver (like we all initially suspected). 2. IDS's in the form of a honeypot. I had a client who's extranet database server kept getting files deleted. They hired me to setup a honeypot mimicking the victim system to catch the crackers. Turned out to be an internal employee trying to discredit the database server administrator. Caught and fired. 3. At another client, an Anomaly Detection NIDS noted suspicious password-cracking activity. Again, another internal employee caught reading the supervisor's email. Caught and still under investigation. IDSs are often more trouble than their worth....the key is fine turning, fine tuning, and fine tuning. But those instances above, I can't think of another security tool (VA, AV, firewall, etc.) that could have done the job better. My dad taught me that bringing the right screw driver to the job always made it easier. Roger *************************************************************************** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: rogerg () cox net *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode/ *************************************************************************** -----Original Message----- From: broyds () rogers com [mailto:broyds () rogers com] Sent: Friday, June 13, 2003 3:48 PM To: Anton Chuvakin; focus-ids () securityfocus com Subject: Re: Rather funny; looks like page defacement to me In general, they are perfectly correct. Most IDS installations are very expensive packet sniffers because most installations know so little about their enterprise network that they are unable to tune it in any meaningful way or design and place the sensors to monitor meaningful traffic. I am not saying the IDS are always useless, but they are most useful as part of a well designed network that partitions traffic so that there is a good baseline understanding of what traffic should appear on each segment. Interestingly, they denigrate Intrusion Prevention Systems and hail firewalls, when an IPS is really a firewall with dynamically generated rule set. Most of use would agree that an internal office network requires a firewall between it and the Internet. The firewall normally only has a static rule set that basically only guarantees that TCP virtual circuits have correct TCP semantics and , for application gateways, that the traffic follows the protocol RFC. Most attacks these days are not at the layer 2/layer 3 level guarded by a firewall, but at layer 7 or above, using the fact that Application protocols like HTTP, FTP, SMTP etc. have enough holes in them that a perfectly standards conforming stream can be used to attack a host at the end of the stream. Most IDS are still installed by people who don't even understand TP/IP, let alone HTTP, or the proprietary stuff coming from Real Networks or Microsoft. How are they going to properly tune an IDS to avoid wasting a lot of time and effort on false positives or, conversely, ignoring everything so the IDS has no teeth. So most IDS systems are a waste of money. They may be useful if they are installed by a MSSP who actually understands security, but not by the average sysadmin handed another box and told to install the IDS because the auditors say we need one.
From: Anton Chuvakin <anton () chuvakin org> Date: 2003/06/13 Fri AM 11:29:51 EDT To: focus-ids () securityfocus com Subject: Rather funny; looks like page defacement to me All, This link posted on the snort site. I figured I'd send it to the list, since its a fascinating read. http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp My first impression was that it is a page defacement, so outrageous some claims are. For instance, did you know that IDS actually _cause_ incident response to happen? :-) Or this gem : "Money Slated for Intrusion Detection Should Be Invested in Firewalls"? Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org --------------------------------------------------------------------------
-----
INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and
analysis
- enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges,
and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2 --------------------------------------------------------------------------
-----
---------------------------------------------------------------------------- --- INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me, (continued)
- Re: [security-elvandar] Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 18)
- Re: Rather funny; looks like page defacement to me Jerry M. Howell II (Jun 14)
- Re: Rather funny; looks like page defacement to me Michael Sierchio (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me George W. Capehart (Jun 17)
- Gartner comments (was Re: Rather funny; looks like page defacement to me) Randy Taylor (Jun 17)
- Re: Rather funny; looks like page defacement to me broyds (Jun 14)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Jim Butterworth (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Angel Rivera (Jun 17)
- RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 17)
- RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me Bill Royds (Jun 18)
- Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 18)