IDS mailing list archives
RE: IDS Signature Confidence
From: Mark Teicher <mht3 () earthlink net>
Date: Mon, 25 Jul 2005 15:56:35 -0400 (GMT-04:00)
Nick/Dan, (must have a split personality or you have worked with to many bi-polar PHD security consultants or former "Cyber Investigators) My comments on earlier posts could have contained a bit of complex gobbly-gook, it all depends on how the IPS is configured on a particular network environment and how effective a particular set of intrusion detection signatures/protocol decodes under certain network conditions. If utilizing a Local Management Interface or Centralized Management Console, based on the default security policies or custom security policies a designated security administrator utilizes (i.e monitor for known attacks, anomalies, DDos, or specialized applications (Web, E-Commerce). Within each set of security policies will include a set number of signatures/protocol decodes that might have been quickly tested for effectiveness in a particular environment with x number of packets per second, etc, and also depending if the IPS is capable of being configured in either tap mode, inline mode or just monitor mode only. Within each given configuration, a IPS speed of analysis will be greatly affected or may not depending on the vendor's implementation/architecture using commodity based hardware or specialized hardware. Regardless of how fast a particular IPS is really shouldn't be the issue, but how effective a particular IPS is against a defined set of attacks and whether the local management interface or centralized management console receives the information in a timely fashion. Those statistics should then be used as a variable in calculating IDS Signature Confidence within a given enterprise or business environment. Mileage may vary from network to network due to percentage of real network traffic that a particular IPS is placed against. THolman () toplayer com rigorously showed:
If a DoS attack is made up of valid traffic, then a NIDS signature isn't going to pick it up. You need to establish whether or not incoming traffic from individual IPs meets acceptable transaction rates, and this is really a job for a rate-based IPS.
This seems a stunningly narrow view of a "signature"; I'm surprised to see the source (I generally find myself nodding and smiling as I read your posts!) Snort's "rate" and "burst" keywords provide a (simplistic) rate limiting as an obvious example. By making available more information from one's connection tracking, etc to the signature language, "signatures" can be used quite effectively to detect DoS patterns of the type you describe. Essentially, if a "signature" can both a) access all state available to the I[DP]S, and b) be expressed to the signature engine using a language strong enough to describe arbitrary [0] operations on this state, it's as powerful as any other code the system could employ (All hail the Church-Turing thesis!) If an IPS provides signature writers just as much flexibility as it does core designers to perform detection, is that a rate-based IPS or a sig-based IPS? I'm appalled that these terms are still bantered about when languages could be getting fixed instead. Mark Teicher made a similar point earlier in the thread, but that post suffered from being far too readable and containing a paucity of complexity theory gobbledygook :). [0] for values of "arbitrary" bounded by "recursively enumerable", of course, but we're among friends. -- nick black "np: the class of dashed hopes and idle dreams." ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS Signature Confidence THolman (Jul 21)
- RE: IDS Signature Confidence Mark Teicher (Jul 22)
- Re: IDS Signature Confidence Nick Black (Jul 25)
- <Possible follow-ups>
- RE: IDS Signature Confidence Mike Murray (Jul 22)
- RE: IDS Signature Confidence Mark Teicher (Jul 27)