Firewall Wizards mailing list archives
Re: Log checking?
From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Fri, 01 Oct 2004 17:26:52 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Paul D. Robertson writes:
But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we don't know is good."
What do you mean "we", Kemosabe? Granted, this is true for almost all commercial products and the overwhelming majority of open source projects---both in default signature sets, and in the expressiveness of the signature logic itself. But that doesn't mean you -can't- do it. Indeed, the sort of IDS logic that I build by default is geared more toward enunciating what the expected behaviour of my networks are, rather than enunciating a laundry list of exploits du jour[0].
Strategically, I'm less worried about find things that will be IDS signatures next month than I am about finding things that will never be IDS signatures. Yes, that's a lot of data to deal with, but it's the higher-cost threats in my view, such as the bad insider, strategic compromise, etc.
Sure. Actually, what I typically do (where I can) is hang onto as much raw data (i.e., pcap-style dumpfiles or syslogd(8) output), and when I see something that's Known Bad, automagically generate a rule that looks for related---but initially unflagged---traffic in the original data. The idea being that if you see five packets from a given IP and four of them generate alerts and one of them is silently passed, then you probably wanna look at that fifth packet. This is more or less the design case for the entire doctrine system in shoki[1]. This works fine if you're not actually doing anything quote inline unquote, and if you're not having any fever dreams involving the word `realtime'. I.e., what is sometimes called forensic analysis (in the sense of doing in-depth analysis, not in the sense of conducting analysis for presentation to/use by an LEA), batch processing, data mining, or whatever. Addressing your original question (what do you look at, why, and how) more broadly, I'll say that I'll conduct just about any kind of goofy analysis I can think of, on just about any data I can get my hands on, assuming that I have the resources. This obviously isn't a closed-form answer, and that's somewhat frustrating. But the point, I suppose, is that at this stage of the game I'm really relying on primate forebrains (and, specifically, their curiosity and penchant for pattern recognition) for a substantial part of the real analysis of the data---so I'm constantly having to come up with new and interesting ways of presenting the data to the primate (i.e., me). If I could always enunciate what it is I'm looking for when I come up with an interesting result, then I wouldn't need the primate anymore, and after a couple days of coding (mod a couple months of debugging), I'd have a widget that could present the canonical red light/green light GUI to the NOC (i.e., relying on protoprimate forebrains instead). This isn't exactly a shattering revelation---i.e., that you need analysts to do analysis---but there seems to be a lot of baggage that security products carry around which is predicated on the wonky notion that security mechanisms can be made to be effectively self-managing. Or, I suppose, the fiction that they -already are- effectively self-managing. I don't believe that it is impossible that this will one day be possible, but we clearly aren't there. Further, the sorts of things that will get us there are things like the ability to enunciate threat models in our filtering/monitoring rules rather than things like simple data aggregation or automated response methods (i.e. IPS-like things)---which seem to be the focus of most current efforts. - -spb - ----- 0 For the past n jours, where n coincidentally is the age of the product/project. I mean I've seen NIDSes that are still checking for crap like Sendmail 5.x exploits. If you're still need to be worried about that kinda thing, then you have problems that an IDS -will not- help you solve. 1 I.e., the ability to generate signatures on the fly and run the raw data through them. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFBXfXAG3kIaxeRZl8RAvrXAKCybvMWIw6A0BwEU6Svr15vTvaZjQCg+YFT BBeJRAkTtn86XLY4JdouK1g= =0N8a -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
- RE: Log checking? Paul D. Robertson (Oct 01)
- RE: Log checking? Marcus J. Ranum (Oct 01)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Devdas Bhagat (Oct 02)
- RE: Log checking? Paul D. Robertson (Oct 01)
- Re: Log checking? Kevin (Oct 01)
- Message not available
- RE: Log checking? hermit921 (Oct 01)