IDS mailing list archives
Re: IPS comparison
From: Adam Powers <apowers () lancope com>
Date: Tue, 30 Aug 2005 18:02:01 -0400
- I agree that "anomaly detection" != "zero day" detection. Just because my DNS server starts to connect to all the other hosts on my network, doesn't mean it has got a worm on it.
This is why most of today's *successful* anomaly detection technologies incorporate a learning or "behavioral" component that overcomes this kind of problem. Take StealthWatch for instance. When a new DNS server comes online, StealthWatch looks at the flows being generated by the server, figures out what the server is and how it's behaving, then applies the appropriate algorithms given the contextual awareness of the server's learned behaviors. In a nutshell: 1. New host detected. 2. Let's watch it for a bit and figure out what it's up to. 3. Now that we know what the machine is and does, apply the proper anomaly detection techniques to the traffic generated by the host. Let's study your DNS example...
From experience, I know that Windoze 2K domain controllers tend to drive
network-based detection systems crazy due to a race condition in the implementation of the Windows 2000 resolver. 1. Workstation-A has 2 nameservers configured, DNS-A and DNS-B. 2. Workstation-A tries to resolve yahoo.com using DNS-A (the first nameserver in the list). 3. For whatever reason (packet loss, busy server, etc) DNS-A never responds to Workstation-A's query. 4. After 1 second, Workstation-A times out the request and transmits the same query to DNS-A and DNS-B from the SAME SOURCE PORT (this is key). 5. DNS-B gets the request first and responds with yahoo.com's address. 6. Workstation-A receives DNS-B's answer and closes the UDP socket on which it was listening for the answer. 7. DNS-A responds milliseconds after DNS-B but when the packet hits Workstation-A, the socket is already closed and Workstation-A responds with an ICMP PORT_UNREACHABLE. For many systems, ICMP PORT_UNREACHABLEs are seen as the response to a UDP scan (and indeed they often are). The trick is to be smart enough to know if the PORT_UNREACHABLES are the result of a broken Windows client resolver or that of an actual UDP scan. StealthWatch, knowing that the machine is a Windows 2000 DNS Server, will allow for ICMP PORT_UNREACHABLES associated with DNS queries without raising UDP Scan alarms and alerts. This kind of logic is a requirement of any network-based anomaly detection system. Without it, EVERYTHING is an anomaly and the system is rendered useless by the shear number of events generated. -AP On 8/29/05 8:55 PM, "Ron Gula" <rgula () tenablesecurity com> wrote:
At 06:01 PM 8/29/2005, Stefano Zanero wrote:Daniel Cid wrote:This "anomaly" detection will only detect 0-day exploits for known vulnerabilities.A zero-day exploit is a curious marketing thing. You suddenly redefine a difficult problem (catching zero-days) as a rather simpler problem (create signatures that actually describe the vulnerability, which is what any signature worth your licensing cost should do). So, presto!, you can rush up and put out some rather nice marketing material on it. Fact is, anomaly detection is so rare that it's almost unexistant in the commercial products, except for limited forms of "protocol anomaly detection" and for Arbor's peakflow technology.Two comments here. - lot's of NIDS that tend to code for a vulnerability, don't actually code for the vulnerability. They are still writing attack signatures. The attack signatures are smarter than what was standard about five years ago, but I've yet to really see a NIDS come out of the box with full vuln/IDS correlation. - I agree that "anomaly detection" != "zero day" detection. Just because my DNS server starts to connect to all the other hosts on my network, doesn't mean it has got a worm on it. Ron Gula, CTO Tenable Network Security ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IPS Comparison Stefano Zanero (Aug 27)
- <Possible follow-ups>
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 30)
- Re: IPS comparison Sanjay Rawat (Aug 30)
- Re: IPS comparison Stefano Zanero (Aug 29)
- Re: IPS comparison Ron Gula (Aug 30)
- Re: IPS comparison Adam Powers (Aug 31)
- Re: IPS comparison Mike Poor (Aug 30)
- Re: IPS comparison Ron Gula (Aug 30)
- RE: IPS comparison Joseph Hamm (Aug 30)
- RE: IPS comparison Seek Knowledge (Aug 31)
- RE: IPS comparison Joseph Hamm (Aug 30)
- Message not available
- RE: IPS comparison Ron Gula (Aug 31)
- Message not available