Re: Important Comments re: INtrusion Detection

[Barney Wolff <barney () databus com>]

> From: tqbf () secnet com
> Date: Wed, 18 Feb 1998 17:17:37 -0600 (CST)
>
> The reason that we claim this information is critical to accurate protocol
> analysis and session reconstruction is simple. Two different operating
> systems may process and reconstruct the same stream of traffic
> differently. For instance, Windows NT 4.0 and FreeBSD 2.2 will reconstruct
> two entirely different IP datagrams given the exact same stream of IP
> fragments. A passive ID system cannot possibly know which reassembly is
> correct without either knowing the operating system is running at the
> destination or analyzing every possible interpretation of those fragments.

But why would it need to?  Overlapping fragments are "never" produced
by accident or misconfiguration, and can therefore always be taken as
an attack signature.  Are you really intending to say that if I'm dumb
enough to use an attack that works on OS-X against a host running OS-Y,
the IDS should ignore me until I smarten up?  It might not page somebody,
but it surely should at least count me.

What's being missed here, imho, is that the great majority of attacks
use packets/streams that lie far outside the boundaries of legitimate
use, despite perhaps being legal IP or TCP.

As with firewalls, it can be useful to think about IDS as "deny what I
don't recognize as permitted" rather than "permit what I don't recognize
as denied".

Products that trade off the false alarm rate vs the missed attack rate
in different ways can compete in the marketplace, without being in any
universal sense fatally flawed.

Barney Wolff  <barney () databus com>