IDS mailing list archives
Re: Views and Correlation in Intrusion Detection
From: Blake Matheny <bmatheny () mkfifo net>
Date: Wed, 18 Jun 2003 09:18:19 -0400
I think part of the problem here, is defining what the usage scope of usage for a NIDS should be. I believe (and I'm not alone here) that a NIDS is part of an overall ID system. However, I think most researchers and companies are missing the point that what we need is not a better mouse trap, but rather a clean room with the existing trap. Here I'm simply implying that a clean room would be an ideal environment to pick up other 'evidence' of the presence of a mouse, regardless of whether or not the mouse trap works. I don't mean to say that ID (host and network) systems aren't in need of improvement, because they are. What I do mean to say, is that existing implementations currently can't be used effectively because other, pertinent information isn't available. Research has been done (and lots of it) on correlation techniques. However many of these techniques completely ignore the fact that we live in a heterogenous world where data simply isn't _available_ to the system. People have spent time writing custom conversion filters (for instance, Syslog to IDMEF). However, writing custom transformations have two huge problems. First, it simply doesn't scale. Second, and certainly tied to the first, is the semantic problem that seems to often get ignored. The way that the system and application developers understand the information, is rarely the same as the person using the system. I think the question we have to ask ourselves, is are we spending too much time trying to build a better mouse trap? Cheers, -Blake Whatchu talkin' 'bout, Willis?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DAVID MARKLE writes:An IDS alert is ONLY relevant if the firewall permits the traffic through. To further the comment, and attack signature tripped for (known attack) xyz, is ONLY relevant when the attacked host is vulnerable to xyz. This is the ultimate job of correlation. If the above surrounding conditions are true, the severity of the attack becomes increased to critical, otherwise it is informational only.I disagree. If you see six packets from a single source and five of them match five discrete attack signatures and your NIDS doesn't tell you anything about the sixth, the smart money says that someone just tried five attacks you know about and one you don't. If you're ignoring the five (because you know you're safe from them), you just missed the sixth (which is the one you're going to get paged about a couple hours later)[0]. If you're about to suggest that disambiguating this sort of situation isn't something that most NIDS products do well (or, indeed, at all), ya got me there. But, alas, we have not yet found a way to convince the blackhats to only attack us in such ways as we find convienient to monitor[1]. The question you've got to ask yourself is what your NIDS is there for: to behave such that it does not inconvienience your incident analysts, or to behave in such a way as to catch the maximum number of bad guys[2]. - -spb - ----- 0 Random aside: try to express what I've just described using the IDMEF. 1 Certainly not in the general case. Honeynets and such things undoubtedly work for some situations. 2 Of course this is a min/max problem, and neither extreme is optimal. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE+77LKG3kIaxeRZl8RAsZkAKCNkPAuIk8PwHWWyyTFGL97g/28VQCghDsJ ufkLX5efYFmRWacwHCtUKQ8= =cRIB -----END PGP SIGNATURE-----
-- Blake Matheny "... one of the main causes of the fall of the bmatheny () mkfifo net Roman Empire was that, lacking zero, they had http://www.mkfifo.net no way to indicate successful termination of http://ovmj.org/GNUnet/ their C programs." --Robert Firth ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Views and Correlation in Intrusion Detection Blake Matheny (Jun 17)
- RE: Views and Correlation in Intrusion Detection Jim Butterworth (Jun 17)
- Re: Views and Correlation in Intrusion Detection SecurIT Informatique Inc. (Jun 17)
- <Possible follow-ups>
- Re: Views and Correlation in Intrusion Detection DAVID MARKLE (Jun 17)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- RE: Views and Correlation in Intrusion Detection David Markle (Jun 18)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 22)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 22)
- Re: Views and Correlation in Intrusion Detection Stephen P. Berry (Jun 18)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jun 18)
- RE: Views and Correlation in Intrusion Detection Rob Shein (Jun 22)
- Re: Views and Correlation in Intrusion Detection Paul Schmehl (Jun 25)
- RE: Views and Correlation in Intrusion Detection Scott M. Algatt (Jun 25)
- Re: Views and Correlation in Intrusion Detection Mike Coliton (Jun 26)