IDS mailing list archives

Re: IDS is dead, etc

From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Thu, 07 Aug 2003 16:49:10 -0400

Tom Arseneault wrote:

Also signatures are not perfect, there might be two closely releated
vulnerabilities one being patch the other not which could match the same
signature and if you ignor the signature because you think your patched you
could be wrong. No, I can't think of any examples but since his was a
"philosophical question" and not a specific point I felt it was valid to
stretch the bounds of probability a bit.

I can think of two examples of signatures that we're patched againsthere that I'd still want to see:

1) The latest RPC DCOM signature for my IDS. All of our systems arepatched here. However, as has been shown recently, under certaincircumstances the Microsoft RPC patch will keep a system from beingcompromised, but the exploit will still cause instability in any givensystem. In this case, I absolutely want to know if packets containingthis exploit come down the line, even though I'm already patched.

2) Code Red II. Are Code Red II signature hits interesting? No - notat all. I know we're patched and I have yet to see a system in ournetwork actually sending the worm. However, the majority of signaturestripped by Code Red II on my system are for attempted cmd.exe access. Iuse the Code Red II root.exe signatures on my IDS to correlate thesecmd.exe attacks with a known infected Code Red box.

So, these two real world examples show how signatures that may generatenormally "uninteresting" traffic data can produce interestingcorrelation data or interesting data in the event of other problems.

Until someone comes out with an IDS signature format with more than onelevel and with intercorrelated reporting, uninteresting events willcontinue to generate interesting side-analysis. :)

Oh yes, and someone (perhaps tongue-in-cheek) mentioned that a properlyconfigured firewall removes the need for an NIDS. I have to chime inand say that I couldn't possibly disagree more. If you were joking,then I apologize for misunderstanding you. However, having a firewall -no matter how rock solid and perfect it is - is only a portion of a goodnetwork security infrastructure.

Just my $0.02 ...

      -Barry







---------------------------------------------------------------------------

Captus Networks - Integrated Intrusion Prevention and Traffic Shaping- Instantly Stop DoS/DDoS Attacks, Worms & Port Scans

- Automatically Control P2P, IM and Spam Traffic
- Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------

Current thread:

Re: IDS is dead, etc, (continued)
- Re: IDS is dead, etc Martin Roesch (Aug 05)
- Re: IDS is dead, etc David W. Goodrum (Aug 05)
  - Re: IDS is dead, etc Paul Schmehl (Aug 06)
    - Re: IDS is dead, etc Bennett Todd (Aug 06)
    - Re: IDS is dead, etc maz (Aug 07)
    - Re: IDS is dead, etc M. Dodge Mumford (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 06)
  - RE: IDS is dead, etc Mark Tinberg (Aug 07)
- RE: IDS is dead, etc Tom Arseneault (Aug 07)
  - Re: IDS is dead, etc Sebastian Schneider (Aug 07)
  - Re: IDS is dead, etc Barry Fitzgerald (Aug 07)
    - Re: IDS is dead, etc Bennett Todd (Aug 08)
    - Re: IDS is dead, etc Sam f. Stover (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - Re: IDS is dead, etc Scott Wimer (Aug 11)
    - Re: IDS is dead, etc Bennett Todd (Aug 11)
    - RE: IDS is dead, etc Security Conscious (Aug 11)
    - Re: IDS is dead, etc Jason Haar (Aug 11)

(Thread continues...)