RE: Views and Correlation in Intrusion Detection

["Schmehl, Paul L" <pauls () utdallas edu>]

> -----Original Message-----
> From: adam.w.hogan [mailto:adam.w.hogan () delphi com] 
> Sent: Tuesday, June 24, 2003 7:24 AM
> To: Focus-Ids (E-mail)
> Cc: Schmehl, Paul L
> Subject: RE: Views and Correlation in Intrusion Detection
>
> Then you may be in luck, there are a number of companies 
> working on a solution like this.  Actually, one week I heard 
> the same presentation about this very idea from three 
> different vendors - this idea's quite the buzz-word right 
> now.  I'll warn you, it may be awhile before any of these 
> products are reasonably priced.  I am looking forward to 
> hearing more about Sourcefire's RNA, though.
I am as well.  And I really think this is a *necessity* if most of us
are going to be truly effective.
> I feel differently, if anybody is on my network trying to use 
> /any/ exploit /anywhere/ I'd like to know about it.  
> Especially on the inside. Perhaps there's a difference 
> between trying to follow this data for a large company than a 
> university?
I can't really say, since all my experience is in edu.  I *can* tell you
that the amount of attacks we see is so high that it rapidly becomes
noise.  That's why I'm so anxious to see correlation between attacks and
boxes that are vulnerable to those attacks.  The rest is really "noise"
AFAIC.  I don't have time to follow up on stuff that doesn't actually
compromise a box.

> The most prominent reason that I don't consider this 
> solution, however, is that it would be ridiculously 
> difficult, if not impossible, to identify every server on the 
> network here.  I don't even know how many servers we have, 
> let alone what OS, patch level, and services they have. There 
> are tools being developed to passively scan the network and 
> try to determine these things, but the ones I've seen cost a 
> small fortune.
Nmap is your friend.  Just scan the network.  If port 80 is open, it's a
web server.  Doesn't matter if it's *supposed* to be, it is.  That's how
I identify our major services - web, ms-sql, mysql, mail, etc.  Then I
start contacting owners - did you know you were running a service?  Did
you know that that service is vulnerable?  Did you know that we'll take
you off the network if it stays vulnerable?

I scan *weekly* for SQL Slammer vulnerabilities, open NetBIOS shares and
"standard" services (web, mail, databases, etc.)
> (Sorry if I come off as ranting, just trying to chip away at 
> the issue so we can start to tackle smaller bits.  Thanks to 
> everybody has, and will, contribute to the discussion - your 
> ideas are very helpful.)
Not ranting at all.  The problem in large network security is
information overload.  The solution *has* to be some "intelligent"
software that sorts through the bits and reports what *really* matters -
*really* being defined by the security specialist whose network is being
monitored.  (As you've acknowledged, what matters to you may not matter
to me, and vice versa.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------