IDS mailing list archives

RE: IPS comparison

From: "Joseph Hamm" <jhamm () lancope com>
Date: Thu, 1 Sep 2005 22:39:54 -0400

Sorry for the delayed response.  Comments Inline:

It might, but it might not. All that the anomaly says is that something

has changed. Don't get me wrong, that is useful, but it's not a zero day
exploit. It could be:


Administrators are concerned with new threats of all kinds.  The zero
day variety is only a small portion of the things that are detected.

- a 1000 day old exploit


I'd still want to know about this (IDS should have caught it)

- someone upgrading the DNS server to also be a WINS server


Think change control management and enforcement

- some script that got executed which failed over a DNS server to some
  sort of Tivilo software distribution server


Again, useful to know

- some sort of switch/hub/network issue which causes UDP broadcast
  addresses to leak out and 'spike' traffic


I sure as hell want to know about this

- maybe someone decides to bulk update some zone records in the DNS
  server with HTTP, SCP or possibly TFTP. Since it doesn't normally
  do this, this is flagged as an anomaly.
- maybe one day, the 'new guy' telnets into the box from his house
  and ends up running ntop on the DNS pinning the session open for a
  long time and this gets flagged because it's not normal
- maybe one day, the hard drive crashes, and all the network starts
  doing DNS requests to the backup DNS server which looks like some
  sort of DNS worm since you have a large flash crowd going to the
  same place at the same time.


You just sold the product.  Can I use these examples? LOL!

Don't get me wrong, I'm a big fan of Lancope's Stealthwatch product and

anomaly detection. We built an anomaly engine into our Thunder log
analysis tool for network

traffic, netflow, firewall logs, host logs, .etc, but anomaly detection

is just that -- anomalies. It's not the end-all solution to finding zero
days.

No solution is the end all...we all know that!  I think it is funny that
we have to keep mentioning this as if it's a revelation.

You get legitimate dark IP addresses lighting up all the time.


Then it is no longer dark IP space, is it?  The system should keep track
of this.

My point here is scale. Unless your NBAD is hooked into your network's

change control process, you won't really know when a new host, network
trace or an entirely new

route is a legitimate thing or not. It simply wasn't there the day

before and is now.

Yep, these technologies allow administrators to audit change control,
etc.  Great for compliance issues.

I agree that honeypots are a useful detection concept. I'd be curious

to look at how much fidelity these NDABs (I don't like that acronym any
more than NADS) have at

seeing if a host is truly alive, especially in this day of DHCP and

host-based firewalls.

It is a passive technology so it is "alive" if you see it communicate
across the network.  IDS/IPS can only detect presence if the traffic
passes the senor.  Leveraging flows from all routers and switches gives
you complete network visibility.  If it makes a peep, you'll see it.

I've also seen more than one "NDAB" system get really confused if a

system was alive or not because a firewall was silently dropping the TCP
connection attempts.

Sounds like limited visibilty.....a result of poor design and
implementation.

Agreed, but I most likely already have port scanning detection

algorithms in my firewalls and NIDS.

Yeah, but can you prioritize them? Break down the scanning to determine
the aggressiveness of the scan?  Firewall and IDS alarm data is very
limited in detail.

With all the network phone-home spyware, custom trojans, custom worms,

constant new forms of P2P chat/share, .etc, on 'unmanaged' networks, I
see so many 'annomalies'

each day, it's like running a signature NIDS.


That's why having a NADS to prioritize these anomalies could save you
some man-hours.  There are a lot of anomalies on the network.  You need
to know which ones are of concern.  That's what a tool like this
provides.

I've yet to see any NBAD vendor call CERT, a product vendor or whoever

and say "Gee, our anomaly engine caught a zero-day worm exploiting
application XYZ. We think you >should do a patch and release an
advisory".

And it wouldn't even need to be the vendor. Why aren't any of the

customers running these NBAD sensors seeing zero-day exploits and
posting to the SANS GIAC watch, this >IDS list, or even vuln-dev? I
think that NBADs are seeing anomalies just fine, but it's hard to
discriminate an "ignorable" anomaly from a real threat.

It is a quickly emerging space so stay tuned!


Joe Hamm, CISSP
Senior Security Engineer
Lancope, Inc.
jhamm () lancope com
404.644.7227  (cell)
770.225.6509   (fax)

Lancope - Security through Network Intelligence(tm)
StealthWatch(tm) by Lancope, a next-generation network security
solution, delivers behavior-based intrusion detection, policy
enforcement and insightful network analysis.  Visit www.lancope.com.


-----Original Message-----
From: Ron Gula [mailto:rgula () tenablesecurity com] 
Sent: Tuesday, August 30, 2005 9:00 PM
To: Focus-Ids Mailing List
Subject: RE: IPS comparison

OK, here goes a real long post from Ron. Sorry if this gets off topic
but I hope folks find it informative. For anyone just scanning these
emails, let me summarize by saying: "anomaly detection" != "zero day
detection".

At 05:15 PM 8/30/2005, Joseph Hamm wrote:

- I agree that "anomaly detection" != "zero day" detection. Just

because

  my DNS server starts to connect to all the other hosts on my

network,

  doesn't mean it has got a worm on it.


It might if your DNS server doesn't normally do this.


It might, but it might not. All that the anomaly says is that something
has changed. Don't get me wrong, that is useful, but it's not a zero day
exploit. It could be:

- a 1000 day old exploit
- someone upgrading the DNS server to also be a WINS server
- some script that got executed which failed over a DNS server to some
   sort of Tivilo software distribution server
- some sort of switch/hub/network issue which causes UDP broadcast
   addresses to leak out and 'spike' traffic
- maybe someone decides to bulk update some zone records in the DNS
   server with HTTP, SCP or possibly TFTP. Since it doesn't normally
   do this, this is flagged as an anomaly.
- maybe one day, the 'new guy' telnets into the box from his house
   and ends up running ntop on the DNS pinning the session open for a
   long time and this gets flagged because it's not normal
- maybe one day, the hard drive crashes, and all the network starts
   doing DNS requests to the backup DNS server which looks like some
   sort of DNS worm since you have a large flash crowd going to the
   same place at the same time.

Don't get me wrong, I'm a big fan of Lancope's Stealthwatch product and
anomaly detection. We built an anomaly engine into our Thunder log
analysis tool for network traffic, netflow, firewall logs, host logs,
.etc, but anomaly detection is just that -- anomalies. It's not the
end-all solution to finding zero days.

Consider a
network anomaly detection system that profiled your network and created

unique usage/behavioral profiles for each host (including Ron's DNS 
server).  You've told the box how your internal address space is 
defined so now the box also knows your network's "dark" or unused

address space.


(Defined internal address space) - (active hosts seen) = Unused or 
"Dark" IP space


Tenable has got a lot of experience in this space with both active and
passive solutions. Well managed networks are extremely well behaved and
any anomaly is an interesting thing. Unmanaged networks are chaotic,
random and unpredictable. You get legitimate dark IP addresses lighting
up all the time.

My point here is scale. Unless your NBAD is hooked into your network's
change control process, you won't really know when a new host, network
trace or an entirely new route is a legitimate thing or not. It simply
wasn't there the day before and is now.

Now consider that your DNS server gets infected with a new worm and 
starts scanning nearby hosts.  A smart NADS (network anomaly detection
system) will be able to quickly determine that this host is scanning 
your dark address space (honeynet concept).  Any activity being 
directed at this unused space can be assumed to be suspect.


This is useful, but a lot of this functionality is already in a NIDS.
They may not profile my network, but they can tell me if my DNS server
is launching port scans.

I agree that honeypots are a useful detection concept. I'd be curious to
look at how much fidelity these NDABs (I don't like that acronym any
more than NADS) have at seeing if a host is truly alive, especially in
this day of DHCP and host-based firewalls.

I have a lot of "by definition" honeypot horror stories though. For
example, consider Windows DHCP laptops that hop from wireless NIC, to
VPN, to ethernet, .etc. Lots of these guys will make various UDP
protocol probes for whatever private RFC1918 address they were last on,
or misconfigured for. I've also seen more than one "NDAB" system get
really confused if a system was alive or not because a firewall was
silently dropping the TCP connection attempts.

Also, consider the port being used.  If this is not a port that the DNS

server normally uses, then that would be suspect as well.


I normally don't need to download to patch my DNS server, but right
around the time a worm for DNS is going to come around, I'll have to
fire up my infrequently used VNC, SSH, terminal services, Telnet or
rlogin. I might even have to grab a patch with a web fetch on port 80,
port 443, or even go through the new corporate web proxy on some other
god-forsaken-port.
I may even have a system admin who's arguably lazy or efficient and
batch process this with a TFTP fetch.

The classic example I see a lot of NBAD, IDS and SIM vendors (I've seen
more than one Tenable SE guilty of this too) is to demonstrate to
potential customers when a perfectly 'normal' host gets an 'anomaly' of
a web fetch to the network or an IRC session or some TFTP requests. This
is cool, but something easily blocked by a firewall or router policy.

Not to
mention all of the tcp resets or icmp port unreachables (in the case of
UDP) that the DNS server will receive as it scans across your network.


Agreed, but I most likely already have port scanning detection
algorithms in my firewalls and NIDS.

Check out the whitepapers published by NADS vendors that outline cases 
where new "zero-day" worms were detected before signatures became 
available.  I agree that marketing departments squeeze all they can out

of zero-day, but I can at least vouch that our SteatlhWatch products 
detected Zotob (and its variants) without the need for any signature 
updates.  This means customers had early detection before signatures 
were available.  I'm sure there are some other vendors out there that 
can report the same.


Many NIDS, SIMs, .etc (even Tenable's NeVO) caught various hits and
indications of Zotob. What they didn't do is say, "this trace right here
is the one that is taking your network down right now and will cause you
loss of sleep for the next three days".

With all the network phone-home spyware, custom trojans, custom worms,
constant new forms of P2P chat/share, .etc, on 'unmanaged' networks, I
see so many 'annomalies' each day, it's like running a signature NIDS.
On a well managed, firewalled, change-controlled server farm, it's a
different story.

Even signature based solutions can tout this if they write sigs for the

vulnerability as opposed to the exploit.


Sure. Anyone can tout just about anything in this industry. However,
some things remain to be seen in this industry.

I've yet to see any NBAD vendor call CERT, a product vendor or whoever
and say "Gee, our anomaly engine caught a zero-day worm exploiting
application XYZ. We think you should do a patch and release an
advisory".
And it wouldn't even need to be the vendor. Why aren't any of the
customers running these NBAD sensors seeing zero-day exploits and
posting to the SANS GIAC watch, this IDS list, or even vuln-dev? I think
that NBADs are seeing anomalies just fine, but it's hard to discriminate
an "ignorable" anomaly from a real threat.

Ron Gula, CTO
Tenable Network Security


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

IPS comparison Rubayat . Zahir (Sep 01)
- <Possible follow-ups>
- RE: IPS comparison Joseph Hamm (Sep 02)
- RE: IPS comparison James Williams (Sep 02)
- RE: IPS comparison Zahir, Rubayat (Sep 02)
- Re: IPS comparison Frank Knobbe (Sep 05)
  - Re: IPS comparison Adam Powers (Sep 07)
  - Re: IPS comparison Sanjay Rawat (Sep 08)
    - Re: IPS comparison Frank Knobbe (Sep 09)
    - Re: IPS comparison Sanjay Rawat (Sep 12)
    - MIT Darpa Dataset, Wilmar SULAIMAN (Sep 19)
    - Re: MIT Darpa Dataset, Sanjay Rawat (Sep 21)
- RE: IPS comparison Frank Knobbe (Sep 05)

(Thread continues...)