IDS mailing list archives
IDS signatures order
From: "Sergey V Soldatov" <SVSoldatov () tnk ru>
Date: Tue, 15 Mar 2005 12:49:28 +0300
Hi list! I'd like to share my correspondence about how RealSecure Network sensor, an IDS from ISS, (RNE in further discussion) triggers events if more then one signature were found in packet or session. I've got to know that "the most important" event will be seen in console and I think that in general it isn't correct for IDS, because knowledge about priority in which events are triggered can give an attacker the opportunity to evade IDS and hide the real invasion. May be I don't understand something, please, correct me if I'm wrong. May be it's not so in RNE, and all signatures a checked... ANY feedback will be appreciated. Also it's interesting how signature processing is organized in other IDSs/IPSs. Do all signatures have to be checked or it's possible to check them is special priority?? Thanks. --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 (1613) ----- Forwarded by Sergey V Soldatov/DKB/HQ-MSK/TNK on 20.12.2004 09:39 ----- Sergey V Soldatov 08.12.2004 10:53 To: "Ballerini, Jean Paul (ISS EMEA)" <JPBallerini () iss net>@TNK cc: Subject: RE: Adv RSSP students guide Hope, that I still have not bothered you enough, but it's very serious, I think. As I've understood you if some packet or number of packets in analysed session match a lot of signatures I'll get "the most important" in console, but the only one ?! It isn't right for sensor, _all_ matched signatures MUST be shown in console or analysed by correlation engine (if it is). If RNE really shows only one event - it's bug that has to be fixed. In this case I have another question, - where can I get a list with signatures priorities to get to know which signature will be displayed in case when a number "high" events were found? You can post answers on ISSForum, I think, this topic may be interesting for all. Good luck. --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 (1613) "Ballerini, Jean Paul (ISS EMEA)" <JPBallerini () iss net> 07.12.2004 19:10 To: "Sergey V Soldatov" <SVSoldatov () tnk ru> cc: Subject: RE: Adv RSSP students guide Sergey, We detect the all events but generate only one, the one with highest risk because it is the most important for blocking. Jean Paul -----Original Message----- From: Sergey V Soldatov [mailto:SVSoldatov () tnk ru] Sent: Monday, December 06, 2004 3:19 PM To: Ballerini, Jean Paul (ISS EMEA) Subject: Adv RSSP students guide Reading Adv RealSecure Site Protector students guide (05/23/03) on p. 79 within server sensor data path explanation I've found interesting phrase: 'Unlike Network Sensor, Server sensor allows events to match more than one signature at a time.' Does it mean that in case of RNE one packet can trigger only one signature if matches? As I can see in SiteProtector Console it isn't so, and it's QUITE RIGHT. But if it's so and I've understood this correctly it is awfully, because it presumes to intruder to hide really important events among informationl ones and so pass over IDS. Early versions of Snort had such vulnerability, but it was corrected a long time ago. Is it so? Please, let me know. Good luck! --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 (1613) --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 (1613) -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS signatures order Sergey V Soldatov (Mar 16)