Re: IDS experience's - summary

["Jeff Nelson" <jnelson () rackspace com>]

More people should take the time to compile worthwhile summaries.
Recently I've been evaluating various IDSs... primarily to quickly identify
DOSs so they can be rate-limited if they're specific enough (by a small
source pool or a port that wouldn't interfere with primary traffic)  or null
them if the customer's firewall/server/LB goes down and floods the block..

We have a Dragon system which is primarily used to identify portscans over a
multiple IPs and blackhole the source. I'm told it has more functionality
but I haven't had the time to explore its potential.
I've just begun using Arbor's Peakflow system--a traffic and DOS
platform--it uses set parameters to identify traffic anomalies using Netflow
stats. I believe that it has some good potential, but already we've had some
scalability issues and the 'tweaking' is very administratively intensive. It
has missed a few serious anomalies we could see on bandwidth graphs that it
didn't pick up.
And last, I'm about to receive Wildpacket's EtherPeek NX which uses a Gig
span to identify traffic flows and do pretty much the same thing as Arbor's
but all in Software and every packet. I'm very interested to try it because
of its full span and price. Unfortunately, it does cap at a Gig and so
multiple boxes will be needed in a large environment and there is no
aggregation software for the statistics.

I would love to hear more about other's experiences with these products and
values, or other interesting views on the subject.

--jeff

"Be liberal in what you accept, and conservative in what you send."
--Jon Postel
----- Original Message -----
From: "Brandon Knicely" <bknicely () nyc rr com>
To: "Nanog@Merit. Edu" <nanog () merit edu>
Sent: Friday, June 28, 2002 10:46 AM
Subject: RE: IDS experience's - summary


> Thanks to those that responded, content listed below with a few comments
of
> my own.  Also welcome additional discussion.
>
> A lot of new activity in the space, but very little differentiation beyond
> scale.  Correlation and mining of useful and actionable information
minimal
> at best.  Multiple 'probes' magnify the problem.  Signature based products
> based on their maturity still rule although some of the new 'pattern'
> matching products appear interesting.  Their problem is providing enough
> pattern classification detail to understand the reasoning.
>
> Would appreciate any comments on 'intelligent' multi-probe data mining
> approaches/products examined and/or enterprise cross-vendor correlation
> products.  I've seen Bayesian and neural network approaches that appear
> promising but are currently closer to a research project rather something
> implementable.
>
> Also welcome vendor feedback although prefer off-list mail.
>
> thanks,
>
> Brandon
>
> ---
> I've used ISS's RealSecure on Nokia's platform, Snort on Solaris/OBSD, and
> Dragon under FreeBSD. In my opinion ISS's RealSecure just isn't worth the
> money. I've used snort the most, and in once of two situations. The first
> being to proactively detect issues. Once you iron out all the false
> positives it tends to work very well. The second scenario where it was
> very usefull was after a break in happened and once the network was
> resecured. This allowed us to make sure there were no trojans left behind
> that were missed. Hope this helps somewhat.
>
> Adam Mazza
>
> ---
> The only real value from IDS data is based upon your ability to mine
> and interpret it. This is something that IDS vendors have utterly
> failed to provide a solution to, and something that most customers
> haven't totally wrapped their head around.
>
> In fact, a seperate IDS data mining and interpreting industry has
> popped up with players like NetForensics, Intellitactics and I'm
> sure there are others. In fact, if SilentRunner took snort logs
> (I haven't checked in a while) it would be an ideal solution for
> many.
>
> It is to the point where it really doesn't matter what brand of
> sensor you install, as none of them do data corelation effectively
> enough to be used without a third party data mining solution, for
> installations of more than a single sensor.
>
> I have found that even having 0-day signatures for the most obscure
> and dangerous exploits, doesn't add much value to an IDS. This
> is because even a skript kid with 0-day warez is going to probe,
> portscan and reach for low hanging fruit before they will risk exposing
> their more valuble toys to a potential honeypot. All an IDS is, is
> a policy monitoring device, which you use to make operational decisions,
> and potentially to augment your policy enforcement.
>
> The value of IDS data is really only uncovered through corelation.
> Anomaly based systems try to do this as part of the detection process,
> whereas signature based systems assume it will be done in post processing.
> Anomalies are ultimately just a different kind of signature anyway. :)
>
> With things like ACID and other front ends to Snort, IMHO, the best
> view of the data you can get is a listing of source ip addresses with the
> number of unique alerts they generated over a long period of time.
>
> The visualization tools from Intellitactics look like they were lifted
> from caida.org. This doesn't undermine how useful and cool they are,
> but it suggests that someone with more skills than I, will think of a
> way to parse snort logs into something like NetCDF or some other
> scientific visualization format for use with real visualization and
> data mining tools.
>
> I spend most of my day watching IDS's that generate massive amounts of
> data, and this information is based upon that experience.
>
> Cheers,
> --
> batz
>
>
>
> -----Original Message-----
> From: Brandon Knicely [mailto:bknicely () nyc rr com]
> Sent: Friday, May 31, 2002 2:29 PM
> To: Nanog@Merit. Edu
> Subject: IDS experience's
>
>
> IDS's have been around awhile but recently became interested in their
> usefulness.  I was wondering if I could get some group feedback on the
> following:
>
> 1.  How many folks have actually deployed either a NID, NNID or HID
system?
> 2.  Have they been useful or just generated noise and excess cycles? (1 -
> waste of time, 10 - water walker)
>
> 3.  Any 'real-world' comparative/useful data and/or opinion on different
> approaches...ie pattern matching, anomoly detection and/or data mining
> approaches?
>
> 4.  Any feedback on Snort, ISS, Cisco or Symantec?  Or other
newer/different
> approaches ie Okena?
>
> 5.  Other general good information, ie issues, gripes, etc.?
>
>
> I would appreciate any help, feel free to contact direct or list and will
> summarize.
>
> thanks,
>
> Brandon