IDS mailing list archives
Re: Announcement: Alert Verification for Snort
From: "Bill Royds" <broyds () rogers com>
Date: Fri, 24 Oct 2003 23:30:31 -0400
This is a very interesting point of view because it points to a new way of creating an IDS. What we really want is a language that describes the context of a system (in send of multiple servers, networks, programs etc.) and a language that describes the possible attacks at level of how those attacks can damage this system. We can then compile these two into a system vulnerability description that can optimally respond to data hitting the system. Now the main set of data for creating a particular implementation of an firewall is to have a systems description of data flows allowed into the system, a grammar of allowed input. This grammar can then create a filter that limits allowed data so that one has closer to an "allow only valid input, deny the rest" stance for actual data content, not just the present envelope view of most firewalls. The IDS' job is then to analyze that which was denied to determine why and tune the firewall to better filter in the future. The limit to this approach is similar to the concept of anomaly detection IDS, except that the anomalies are not strictly from context but from a grammar. The grammar is created by looking at the input/output descriptions for sostware running on the system (which includes the RFC for protocols allowed, the scanf/printf parameter set, "well known" values for buffer sizes in software etc.). This grammar view also allows for traffic normalizers attuned to the system that are protected. One integrates the concept of vulnerability scanner, firewall, IDS and honeypot in a single system. The vulnerability scanner and signature set create the grammar for the firewall rule. The firewall examines all traffic for conformance with the grammar. That which conforms is passed through to the system, that which fails is passed through to the honeypot that captures it and increases the contextual information for the IDS to analyze it (a honeypot running IIS would give the correct return code for an IIS attack without exposing the corporate data to the exploit). Essentially the honeypot mirrors the software base of the system without the vulnerable data set. True false positives (in Marty's sense) would point to a need for tuning the firewall to prevent a denial of service, but contextual false positives would only imply updating the honeypot. This still has the risk of false negatives, but monitoring the reaction of the real system could add more context information to the grammar to reduce those as well. ----- Original Message ----- From: "Stephen P. Berry" <spb () meshuggeneh net> To: "Martin Roesch" <roesch () sourcefire com> Cc: "Christopher Kruegel" <chris () cs ucsb edu>; <focus-ids () securityfocus com>; <spb () meshuggeneh net> Sent: Thursday, October 23, 2003 10:33 PM Subject: Re: Announcement: Alert Verification for Snort -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Martin Roesch writes:
[...] I think it's important to make the distinction between "real" false positives (i.e. the IDS screwed up) and nontextuals where the IDS has done its job, it just needs more information to properly evaluate the reality and priority of the event.
Insufficient context is clearly -part- of the problem in many cases, and I don't really disagree with the above evaluation. I think the problem[0] is also more fundamental, however, and is based on a pervading infosec GCE[1] that holds that meaningful conclusions about large-scale behaviours (i.e., the remote compromise of a network-attached device) can be made on the basis of individual packets. This misconception isn't merely the result of misinterpreting the -scope- of an NIDS event (i.e., what a single signature match tells you), but rather the -character- of such events (i.e., what kind of information such events are capable of conveying). Some time ago while fiddling around with constructing a formal grammar for event handling for use in some future release shoki, a conceptual model occurred to me: NIDS signatures and most other intrusion detection heuristics (i.e., regex searches through syslog output) merely serve as a mechanism for tokenising the raw data stream (packets on the wire or lines in /var/log/messages, for example). In other words they are components of a lexical analysis system, the output of which is a stream of recognised tokens. Currently, almost all NIDS systems do -just that-, and rely on the analyst[2] to actually parse these tokens. Expecting such a system to meaningfully predict the actual state of a network is kinda like grepping through a bunch of C code for things like `snprintf' and `fork', and expecting to be able to predict what the program will do. Evaluating whether a particular event emitted by a NIDS widget is a `false positive' is a semantic evaluation, not a lexical categorisation---but all most NIDS produce are lexical analyses. This isn't merely a problem of insufficient context---it's a misconception about the underlying character of the data. Does this make sense? I think this is a nontrivial distinction, but I'm not sure that the above makes it clear. That all aside, I further think that evaluating the content of a NIDS event is more complex than testing for the presence or absence of some quantity(-ies). I.e., is there an `actual' attack or not, and did the NIDS catch it or not. A rigourous discussion of this contention is probably beyond the scope of this message, but I would suggest that this evaluation is -at least as- complex as risk analysis, and is probably in fact more complex. Put a slightly different way: you can't really evaluate whether something is a `false positive' or not except within the context of a threat model. Since very few IDSes have any way of representing a threat model, very few have any way of even -expressing- the notion of a `false positive'. Note that this is distinct from the point I made (or tried to make) above: if you'll excuse the ornate diction, the lexical analysis/semantic content distinction is an epistemological point; the threat model contention is teleological. Somewhat more vaguely, the first distinction I made was largely about the structure of an IDS and the latter is about conceptual basis(-es) upon which value judgements are made by that NIDS. My point? Asking whether or not a NIDS reporting a signature match for a given packet is a `false positive' isn't even an insufficiently specified problem. It's like asking if OBP[3] is a better OS than SRM[4]. The question is poorly formed. - -spb - ----- 0 Or at least the -semantic- problem, here `semantic' meaning `having to do with semantics' and not the (more common in mailing list and USENET discussions) `nomenclature quibble' usage of the term. 1 Gross conceptual error. 2 I.e., a human operator. 3 I (perhaps naively) expect most readers will still recognise this as Sun's Open Boot Prom. 4 DEC's Systems Reference Manual, one of the boot consoles used on alphas and, earlier, VAXen. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE/mI9DG3kIaxeRZl8RAgFeAJ9bYT134ePcu/8Vw93QwZVGgBsL6QCeOrpS vOFUBi9glzLcg7Cj5S0VXTQ= =3Rw4 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. --------------------------------------------------------------------------- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ids_031023 and use priority code SF4. ---------------------------------------------------------------------------
Current thread:
- Re: Announcement: Alert Verification for Snort, (continued)
- Re: Announcement: Alert Verification for Snort Michael Sierchio (Oct 23)
- Re: Announcement: Alert Verification for Snort Ron Gula (Oct 23)
- Re: Announcement: Alert Verification for Snort Frank Knobbe (Oct 24)
- Re: Announcement: Alert Verification for Snort Barry Fitzgerald (Oct 24)
- RE: Announcement: Alert Verification for Snort Craig H. Rowland (Oct 24)
- Re: Announcement: Alert Verification for Snort Robin Sommer (Oct 24)
- Re: Announcement: Alert Verification for Snort Raistlin (Oct 23)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Krieger (Oct 24)
- Re: Announcement: Alert Verification for Snort Stephen P. Berry (Oct 24)
- Re: Announcement: Alert Verification for Snort Bill Royds (Oct 24)
- Re: Announcement: Alert Verification for Snort Konrad Rieck (Oct 23)
- Re: Announcement: Alert Verification for Snort Michael Stone (Oct 23)
- RE: Announcement: Alert Verification for Snort Andrew Hall (Oct 23)
- Re: Announcement: Alert Verification for Snort Sam f. Stover (Oct 24)
- RE: Announcement: Alert Verification for Snort PPowenski (Oct 24)
- Re: Announcement: Alert Verification for Snort Martin Roesch (Oct 24)
- Re: Announcement: Alert Verification for Snort Richard Bejtlich (Oct 24)