IDS mailing list archives

Re: IDS detection approaches

From: Liran Cohen <theog () rct co il>
Date: Sun, 14 Oct 2007 17:30:31 +0200

I think blocking packets based on scoring of the source is a very badway to go, just like spam it will result in a lot of false positives,and actually lead to a "selective" internet which I am sure many dontwant the thing is by scoring you cannot just decide a subnet is likelyto have attacks originating from it thus block that subnet (like peopledo with e-mails) I happened to see a lot of e-mails servers which wereblocked due to CBLs and such and were in fact clean servers but removingsuch an entry from the CBLs is a very long tiring process resulting inservers such as hotmail which many dont use because it blocks manysubnets. I would hate to see the same happen with IDS i.e. trying tosurf the internet and getting a "your page has been blocked due to IPblack listing from your subnet" because someone decided to perform anattack from my subnet.


My 2 cents.... ;)

'Merigoth' wrote:

FF, I believe IDS placement should depend upon it's purpose. The
purpose of the IDS should determine where the IDS is placed. For
example, an IDS whose purpose is to identify all possible inbound
threats for firewall tweaking (or returning traffic back to the
community ;]) should be placed outside the firewall. A production
protection IDS would probably be better placed inside the firewall.
Defense-in-depth and architecture design are two key points to
remember.

As far as answering the initial question, one new trend is
"vector-based" modeling. Take a look at http://www.trustedsource.org/,
and the trustedsource query. Plug in a few IP addresses and see.
(NOTE: I do not work for secure computing.) The simplistic idea is a
network space, 192.168.1.x (for example), is given a "credit card"
score (or trust-worthiness score). This "trust-worthiness" score is a
determination of the network space to be secure and remain secure at a
given point in time. If the IP address or network space is flagged as
malicious, a firewall admin may wish to block all traffic to/from that
IP space. Remember that saying about blocking email based upon country
codes/location/email language due to the likelihood of spam. This
takes that idea and makes it a little more useful, in my opinion. This
is possible because it is an aggregation of flow data, signature based

and heuristic/anomaly detection IDS capabilities.

Partially referring back to the initial paragraph and what others have
mentioned, a company needs a blended IDS system. Signature-based
systems require dedicated analysts to maintain, and can quickly absorb
storage space on large links. Flow data, usually coming from routers,
can provide important information. However, it usually requires an
outside trigger (like a trustworthiness score or an IDS event) to
research. One of the key benefits of flow data is the amount of
traffic passed for an event. An IDS system may not capture the full
stream or storage may be an issue. Flow data can record the totally
bytes passed, which can be in the 10s of megs of data, in the space of
a few hundred bytes. So the conversation turns back into
defense-in-depth and architecture design.

I think application layer / "deep packet analysis" is also starting to
take off, as well.

Hopefully, this helps snort user.


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of
frankfrydrych () gmail com
Sent: Thursday, October 04, 2007 4:30 PM
To: focus-ids () securityfocus com
Subject: Re: IDS detection approaches

Hola,


I would completely go with a signature based IDS. Anomaly based IDS

will not give you the greatest results.


For signature base I highly recommend SNORT. It is probably one of the
best IDS out there. Now I'm not just saying this as a "ooh open source
is the best".  I truely believe this. I actually use to be a huge
Cisco buff and just dealt with Cisco IDS. However, at my current job I
am a security analyst and have to analyze events from Cisco, IIS,
Juniper, etc, and SNORT beats them all. Mainly for the fact that you
are able to see the packet payload and are able to make the decision
if something is malicious based on the actual payload and not just the
signature that is triggered (like some IDS). Also, when a new threat
emerges usually SNORT users will create a signature to combat the
threat. The other vendors create the signatures for you and it usually
ends up to be like 3 months after the threat was actually a realistic
threat. And on top of it the vendor signatures usually give out huge
amount of false positves. Then again, an IDS is only as good as who
tunes it. If you take A
 NY IDS and turn it on in a production network you will have so many
false positives I garuntee you will miss actual threats. Every IDS
(including SNORT) has to be tuned for the production network it is on.


Finally, make sure to place the IDS behind the firewall. If you place
it in front of the firewall you will receive so much traffic that it
is just not valuable data. You have a firewall, so let the firewall do
its job and block the already known bad activity, and catch what gets
through the firewall with a IDS.


-FF

----------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.

Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campa

ign=intro_sfwto learn more.

----------------------------------------------------------------------
--


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------


--
Liran Cohen
http://www.rct.co.il
http://www.dir.rct.co.il


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

RE: IDS detection approaches, (continued)
- RE: IDS detection approaches Campa, Albert R. (Oct 05)
  - Re: IDS detection approaches Stefano Zanero (Oct 10)
- Re: IDS detection approaches p1g (Oct 15)
- Re: IDS detection approaches frankfrydrych (Oct 05)
  - Re: IDS detection approaches Gary Halleen (Oct 09)
    - Re: IDS detection approaches Randal T. Rioux (Oct 12)
    - Re: IDS detection approaches Gary Halleen (Oct 12)
  - Re: IDS detection approaches jean-philippe luiggi (Oct 09)
  - Re: IDS detection approaches Adam Powers (Oct 09)
  - RE: IDS detection approaches 'Merigoth' (Oct 09)
    - Re: IDS detection approaches Liran Cohen (Oct 15)
  - Oracle XDB FTP Kanagasingham, Prathaben (Oct 26)
- RE: IDS detection approaches Nelson Brito (Oct 09)
  - Re: IDS detection approaches Sec urity (Oct 09)
    - RE: IDS detection approaches Nelson Brito (Oct 10)
    - Re: IDS detection approaches Sec urity (Oct 10)
    - Message not available
    - Re: IDS detection approaches Sec urity (Oct 12)
    - RE: IDS detection approaches Nelson Brito (Oct 12)
    - Re: IDS detection approaches Sec urity (Oct 12)
    - RE: IDS detection approaches Nelson Brito (Oct 12)
    - Re: IDS detection approaches Jason (Oct 12)

(Thread continues...)