RE: Views and Correlation in Intrusion Detection

["Scott M. Algatt" <salgatt () turtleshell net>]

I know that someone is doing something like this already.  They are a
third party plug-in to CheckPoint called ipangel.  Their software scans
the network and updates it's database and waits.  If I remember it
dynamically creates rules for your network.  If you have an Apache web
server then it disables all the IIS rules going to that web server.

It has been awhile since I looked at their software but feel free to do
some reading:

http://www.lucidsecurity.com/


Regards,

Scott M. Algatt

Behold the turtle. He makes progress only when he sticks his neck out.

On Tue, 24 Jun 2003, Schmehl, Paul L wrote:

> > -----Original Message-----
> > From: adam.w.hogan [mailto:adam.w.hogan () delphi com]
> > Sent: Tuesday, June 24, 2003 7:24 AM
> > To: Focus-Ids (E-mail)
> > Cc: Schmehl, Paul L
> > Subject: RE: Views and Correlation in Intrusion Detection
> >
> > Then you may be in luck, there are a number of companies
> > working on a solution like this.  Actually, one week I heard
> > the same presentation about this very idea from three
> > different vendors - this idea's quite the buzz-word right
> > now.  I'll warn you, it may be awhile before any of these
> > products are reasonably priced.  I am looking forward to
> > hearing more about Sourcefire's RNA, though.
> I am as well.  And I really think this is a *necessity* if most of us
> are going to be truly effective.
> > I feel differently, if anybody is on my network trying to use
> > /any/ exploit /anywhere/ I'd like to know about it.
> > Especially on the inside. Perhaps there's a difference
> > between trying to follow this data for a large company than a
> > university?
> I can't really say, since all my experience is in edu.  I *can* tell you
> that the amount of attacks we see is so high that it rapidly becomes
> noise.  That's why I'm so anxious to see correlation between attacks and
> boxes that are vulnerable to those attacks.  The rest is really "noise"
> AFAIC.  I don't have time to follow up on stuff that doesn't actually
> compromise a box.
>
> > The most prominent reason that I don't consider this
> > solution, however, is that it would be ridiculously
> > difficult, if not impossible, to identify every server on the
> > network here.  I don't even know how many servers we have,
> > let alone what OS, patch level, and services they have. There
> > are tools being developed to passively scan the network and
> > try to determine these things, but the ones I've seen cost a
> > small fortune.
> Nmap is your friend.  Just scan the network.  If port 80 is open, it's a
> web server.  Doesn't matter if it's *supposed* to be, it is.  That's how
> I identify our major services - web, ms-sql, mysql, mail, etc.  Then I
> start contacting owners - did you know you were running a service?  Did
> you know that that service is vulnerable?  Did you know that we'll take
> you off the network if it stays vulnerable?
>
> I scan *weekly* for SQL Slammer vulnerabilities, open NetBIOS shares and
> "standard" services (web, mail, databases, etc.)
> > (Sorry if I come off as ranting, just trying to chip away at
> > the issue so we can start to tackle smaller bits.  Thanks to
> > everybody has, and will, contribute to the discussion - your
> > ideas are very helpful.)
> Not ranting at all.  The problem in large network security is
> information overload.  The solution *has* to be some "intelligent"
> software that sorts through the bits and reports what *really* matters -
> *really* being defined by the security specialist whose network is being
> monitored.  (As you've acknowledged, what matters to you may not matter
> to me, and vice versa.)
>
> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/~pauls/
>
> -------------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training sessions,
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to
> "underground" security specialists.  See for yourself what the buzz is about!
> Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
> -------------------------------------------------------------------------------


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------