IDS mailing list archives
Re: IDS is dead, etc
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 07 Aug 2003 16:49:10 -0400
Tom Arseneault wrote:
Also signatures are not perfect, there might be two closely releated vulnerabilities one being patch the other not which could match the same signature and if you ignor the signature because you think your patched you could be wrong. No, I can't think of any examples but since his was a "philosophical question" and not a specific point I felt it was valid to stretch the bounds of probability a bit.
I can think of two examples of signatures that we're patched against here that I'd still want to see:
1) The latest RPC DCOM signature for my IDS. All of our systems are patched here. However, as has been shown recently, under certain circumstances the Microsoft RPC patch will keep a system from being compromised, but the exploit will still cause instability in any given system. In this case, I absolutely want to know if packets containing this exploit come down the line, even though I'm already patched.
2) Code Red II. Are Code Red II signature hits interesting? No - not at all. I know we're patched and I have yet to see a system in our network actually sending the worm. However, the majority of signatures tripped by Code Red II on my system are for attempted cmd.exe access. I use the Code Red II root.exe signatures on my IDS to correlate these cmd.exe attacks with a known infected Code Red box.
So, these two real world examples show how signatures that may generate normally "uninteresting" traffic data can produce interesting correlation data or interesting data in the event of other problems.
Until someone comes out with an IDS signature format with more than one level and with intercorrelated reporting, uninteresting events will continue to generate interesting side-analysis. :)
Oh yes, and someone (perhaps tongue-in-cheek) mentioned that a properly configured firewall removes the need for an NIDS. I have to chime in and say that I couldn't possibly disagree more. If you were joking, then I apologize for misunderstanding you. However, having a firewall - no matter how rock solid and perfect it is - is only a portion of a good network security infrastructure.
Just my $0.02 ... -Barry ---------------------------------------------------------------------------Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
- Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.captusnetworks.com/ads/31.htm ---------------------------------------------------------------------------
Current thread:
- Re: IDS is dead, etc, (continued)
- Re: IDS is dead, etc Martin Roesch (Aug 05)
- Re: IDS is dead, etc David W. Goodrum (Aug 05)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- Re: IDS is dead, etc Bennett Todd (Aug 06)
- Re: IDS is dead, etc maz (Aug 07)
- Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- Re: IDS is dead, etc Paul Schmehl (Aug 06)
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
- RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
- Re: IDS is dead, etc Sebastian Schneider (Aug 07)
- Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
- Re: IDS is dead, etc Bennett Todd (Aug 08)
- Re: IDS is dead, etc Sam f. Stover (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- Re: IDS is dead, etc Scott Wimer (Aug 11)
- Re: IDS is dead, etc Bennett Todd (Aug 11)
- RE: IDS is dead, etc Security Conscious (Aug 11)
- Re: IDS is dead, etc Jason Haar (Aug 11)