Re: IDS is dead, etc

[Bennett Todd <bet () rahul net>]

2003-08-06T07:39:28 Paul Schmehl:
> Why would you want to know about Nimda attacks against your
> servers?

(or more generally, attacks that won't succeed)

Some people _don't_ care. They need to disable the sigs they don't
care about, or configure their IDS to only match those sigs against
servers for which they're relevent.

The limiting case of this argument says that given a really
perfectly implemented firewall, you don't need an IDS at all. Some
folks don't.

I can easily suggest three scenarios where someone might want such
alerts.

(1) Suppose you've deployed your IDS on the inside edge of your
    firewall plant, rather than the outside. Aside from false alerts
    where the sig matches truly legit traffic, every alert reflects
    an incident. Someone set up a rogue server inside, and the
    malware got at it through some vector you can't protect against,
    e.g. a laptop that someone got infected when they hooked it up
    at home, then brought it in and hooked it up at their desk.

    This deployment scenario is also great for catching firewall
    config errors that inadvertently permit traffic you didn't
    intend.

(2) Suppose you're catching this info, and analyzing it in multiple
    dimensions. Even if all the attacks fail, you might be able to
    pick up on a sudden change in the attack profiles, alerting you
    to someone targetting your plant in a focused attack.

(3) The collected info can be helpful for building knowlege of the
    state of the internet. Groups like the ISACs share trending
    info, as well as details for analyzing new attacks. If your IDS
    is capturing with signatures that focus on vulnerabilities
    rather than on specific exploits, you can gather knowlege of new
    exploits as they are developed. This was a critical resource in
    the early analysis of Nimda, for instance.

Combine (3) with a honeypot and you're getting into really juicy
intelligence collection.

-Bennett

Attachment: _bin
Description: