Re: Views and Correlation in Intrusion Detection

[Blake Matheny <bmatheny () mkfifo net>]

I think part of the problem here, is defining what the usage scope of usage
for a NIDS should be. I believe (and I'm not alone here) that a NIDS is part
of an overall ID system. However, I think most researchers and companies are
missing the point that what we need is not a better mouse trap, but rather a
clean room with the existing trap. Here I'm simply implying that a clean room
would be an ideal environment to pick up other 'evidence' of the presence of a
mouse, regardless of whether or not the mouse trap works.
 I don't mean to say that ID (host and network) systems aren't in need of
improvement, because they are. What I do mean to say, is that existing
implementations currently can't be used effectively because other, pertinent
information isn't available.
 Research has been done (and lots of it) on correlation techniques. However
many of these techniques completely ignore the fact that we live in a
heterogenous world where data simply isn't _available_ to the system. People
have spent time writing custom conversion filters (for instance, Syslog to
IDMEF). However, writing custom transformations have two huge problems. First,
it simply doesn't scale. Second, and certainly tied to the first, is the
semantic problem that seems to often get ignored. The way that the system
and application developers understand the information, is rarely the same as
the person using the system.
 I think the question we have to ask ourselves, is are we spending too much
time trying to build a better mouse trap?

Cheers,

-Blake

Whatchu talkin' 'bout, Willis?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> DAVID MARKLE writes:
>
> > An IDS alert is ONLY relevant if the 
> > firewall permits the traffic through.  To further the comment, and 
> > attack signature tripped for (known attack) xyz, is ONLY relevant when 
> > the attacked host is vulnerable to xyz.  This is the ultimate job of 
> > correlation.  If the above surrounding conditions are true, the 
> > severity of the attack becomes increased to critical, otherwise it is 
> > informational only.
>
> I disagree.  If you see six packets from a single source and five of them
> match five discrete attack signatures and your NIDS doesn't tell you
> anything about the sixth, the smart money says that someone just tried
> five attacks you know about and one you don't.  If you're ignoring the
> five (because you know you're safe from them), you just missed the sixth
> (which is the one you're going to get paged about a couple hours later)[0].
>
> If you're about to suggest that disambiguating this sort of situation
> isn't something that most NIDS products do well (or, indeed, at all),
> ya got me there.  But, alas, we have not yet found a way to convince
> the blackhats to only attack us in such ways as we find convienient
> to monitor[1].  The question you've got to ask yourself is what your
> NIDS is there for:  to behave such that it does not inconvienience your
> incident analysts, or to behave in such a way as to catch the maximum
> number of bad guys[2].
>
>
>
>
>
>
>
> - -spb
>
> - -----
> 0     Random aside:  try to express what I've just described using the
>       IDMEF.
> 1     Certainly not in the general case.  Honeynets and such things
>       undoubtedly work for some situations.
> 2     Of course this is a min/max problem, and neither extreme is
>       optimal.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (OpenBSD)
>
> iD8DBQE+77LKG3kIaxeRZl8RAsZkAKCNkPAuIk8PwHWWyyTFGL97g/28VQCghDsJ
> ufkLX5efYFmRWacwHCtUKQ8=
> =cRIB
> -----END PGP SIGNATURE-----

-- 
Blake Matheny           "... one of the main causes of the fall of the
bmatheny () mkfifo net      Roman Empire was that, lacking zero, they had
http://www.mkfifo.net    no way to indicate successful termination of
http://ovmj.org/GNUnet/  their C programs." --Robert Firth

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------