Firewall Wizards mailing list archives

Re: Log checking?

From: "Stephen P. Berry" <spb () meshuggeneh net>
Date: Fri, 01 Oct 2004 17:26:52 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Paul D. Robertson writes:

But, again- IDS is "known bad"- we don't get IDS signatures for "stuff we
don't know is good."


What do you mean "we", Kemosabe?

Granted, this is true for almost all commercial products and the overwhelming
majority of open source projects---both in default signature sets,
and in the expressiveness of the signature logic itself.  But that
doesn't mean you -can't- do it.  Indeed, the sort of IDS logic that I
build by default is geared more toward enunciating what the expected
behaviour of my networks are, rather than enunciating a laundry list of
exploits du jour[0].

Strategically, I'm less worried about find things that will be IDS
signatures next month than I am about finding things that will never be
IDS signatures.  Yes, that's a lot of data to deal with, but it's the
higher-cost threats in my view, such as the bad insider, strategic
compromise, etc.


Sure.  Actually, what I typically do (where I can) is hang onto as much
raw data (i.e., pcap-style dumpfiles or syslogd(8) output), and when I see
something that's Known Bad, automagically generate a rule that looks for
related---but initially unflagged---traffic in the original data.  The
idea being that if you see five packets from a given IP and four of them
generate alerts and one of them is silently passed, then you probably
wanna look at that fifth packet.  This is more or less the design case
for the entire doctrine system in shoki[1].

This works fine if you're not actually doing anything quote inline unquote,
and if you're not having any fever dreams involving the word `realtime'.
I.e., what is sometimes called forensic analysis (in the sense of
doing in-depth analysis, not in the sense of conducting analysis for
presentation to/use by an LEA), batch processing, data mining, or whatever.

Addressing your original question (what do you look at, why, and how) more
broadly, I'll say that I'll conduct just about any kind of goofy analysis
I can think of, on just about any data I can get my hands on, assuming
that I have the resources.  This obviously isn't a closed-form answer, and
that's somewhat frustrating.  But the point, I suppose, is that at this
stage of the game I'm really relying on primate forebrains (and, specifically,
their curiosity and penchant for pattern recognition) for a substantial
part of the real analysis of the data---so I'm constantly having to come
up with new and interesting ways of presenting the data to the primate (i.e.,
me).  If I could always enunciate what it is I'm looking for when I come
up with an interesting result, then I wouldn't need the primate anymore,
and after a couple days of coding (mod a couple months of debugging), I'd
have a widget that could present the canonical red light/green light GUI
to the NOC (i.e., relying on protoprimate forebrains instead).

This isn't exactly a shattering revelation---i.e., that you need analysts
to do analysis---but there seems to be a lot of baggage that security
products carry around which is predicated on the wonky notion that security
mechanisms can be made to be effectively self-managing.  Or, I suppose,
the fiction that they -already are- effectively self-managing.  I don't
believe that it is impossible that this will one day be possible, but we
clearly aren't there.  Further, the sorts of things that will get us there
are things like the ability to enunciate threat models in our
filtering/monitoring rules rather than things like simple data aggregation
or automated response methods (i.e. IPS-like things)---which seem to be the
focus of most current efforts.






- -spb

- -----
0       For the past n jours, where n coincidentally is the age of the
        product/project.  I mean I've seen NIDSes that are still checking
        for crap like Sendmail 5.x exploits.  If you're still need to be
        worried about that kinda thing, then you have problems that an
        IDS -will not- help you solve.
1       I.e., the ability to generate signatures on the fly and run the
        raw data through them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (OpenBSD)

iD8DBQFBXfXAG3kIaxeRZl8RAvrXAKCybvMWIw6A0BwEU6Svr15vTvaZjQCg+YFT
BBeJRAkTtn86XLY4JdouK1g=
=0N8a
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Log checking? Mark Tinberg (Sep 30)
- <Possible follow-ups>
- RE: Log checking? Marcus J. Ranum (Sep 30)
- RE: Log checking? Luke Butcher (Sep 30)
- RE: Log checking? FW Wizards Mailing List (Sep 30)
  - RE: Log checking? Paul D. Robertson (Oct 01)
    - RE: Log checking? Marcus J. Ranum (Oct 01)
    - RE: Log checking? Paul D. Robertson (Oct 01)
    - Re: Log checking? Devdas Bhagat (Oct 02)
  - Re: Log checking? Kevin (Oct 01)
  - Message not available
    - RE: Log checking? hermit921 (Oct 01)
- Re: Log checking? Stephen P. Berry (Oct 02)
- RE: Log checking? Mark Teicher (Oct 02)
- Re: Log checking? Bennett Todd (Oct 06)