IDS mailing list archives

Re: Rather funny; looks like page defacement to me

From: "Bill Royds" <Bill () royds net>
Date: Sun, 15 Jun 2003 00:09:34 -0400

All of you examples could just have been handled by installing a sniffer on
the segment once the problem was discovered. None of them would have
required the megabucks investment to install a full IDS on a high-speed
switched LAN/MAN, except for the anomaly detection case and it could have
just have easily been noticed by proper log analysis.
   I did not say that all network  IDS were bad, but that most installations
of IDS cost a lot of money for very little extra security. Installation in a
switched network will be very costly, tuning on anything but a dedicated
segment is difficult, proper monitoring requires expertise that is
expensive. It does not give the bang for the buck that a firewall does, host
IDS does, hardening does or security awareness education does.

  A honeypot is not  the same as an IDS and I can think that they can be
useful for tuning firewall. For example, a honeypot imitating the services
on yourInternet server segment, but with IP addresses one off, can give you
a good idea about what is being attacked, helping to harden servers and
prevent addition of firewall ports to rules that have security problems in
your situation.

As to printers, most network aware printers run with default telnet (no
password), so any mailicious person who penetrated your security perimeter
would immediately head for them and install sniffing software. There is a
Xerox high end printer that runs Solaris 8. Imagine that on your corporate
LAN with no password for root.
.
----- Original Message ----- 
From: "Roger A. Grimes" <rogerg () cox net>
To: <broyds () rogers com>; "Anton Chuvakin" <anton () chuvakin org>;
<focus-ids () securityfocus com>
Sent: Saturday, June 14, 2003 10:38 PM
Subject: RE: Rather funny; looks like page defacement to me


Without getting into the very large issues that IDSs usually surround, I've
found a few instances with IDSs were the best solution.

1.  I was at a client the day the BugBear worm broke loose.  Coincidentally,
their printers were printing up a lot of garbage that day.  One of the side
effects of BugBear is that it accidentally trys to infect printer shares
(while trying to infect drive shares).  This results in printer garbage and
locked up printers.  Had Bugbear gotten past the client's normal security
defenses and AV software.  I mean, AV software doesn't run on HP LaserJets
and AV software wouldn't go off unless the worm was successful in
penetrating a weak drive share password.  I fired up Snort, googled a
Bugbear signature, and waited.  No alerts.  A few hours later we tracked the
problem to a single buggy printer driver (like we all initially suspected).

2. IDS's in the form of a honeypot.  I had a client who's extranet database
server kept getting files deleted.  They hired me to setup a honeypot
mimicking the victim system to catch the crackers.  Turned out to be an
internal employee trying to discredit the database server administrator.
Caught and fired.

3.  At another client, an Anomaly Detection NIDS noted suspicious
password-cracking activity.  Again, another internal employee caught reading
the supervisor's email.  Caught and still under investigation.

IDSs are often more trouble than their worth....the key is fine turning,
fine tuning, and fine tuning.  But those instances above, I can't think of
another security tool (VA, AV, firewall, etc.) that could have done the job
better.

My dad taught me that bringing the right screw driver to the job always made
it easier.

Roger

***************************************************************************
*Roger A. Grimes, Computer Security Consultant
*CPA, MCSE (NT/2000), CNE (3/4), A+
*email: rogerg () cox net
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by O'Reilly
*http://www.oreilly.com/catalog/malmobcode/
***************************************************************************



-----Original Message-----
From: broyds () rogers com [mailto:broyds () rogers com]
Sent: Friday, June 13, 2003 3:48 PM
To: Anton Chuvakin; focus-ids () securityfocus com
Subject: Re: Rather funny; looks like page defacement to me


In general, they are perfectly correct.
Most IDS installations are very expensive packet sniffers because most
installations know so little about their enterprise network that they are
unable to tune it in any meaningful way or design and place the sensors to
monitor meaningful traffic.
   I am not saying the IDS are always useless, but they are most useful as
part of a well designed network that partitions traffic so that there is a
good baseline understanding of what traffic should appear on each segment.
   Interestingly, they denigrate Intrusion Prevention Systems and hail
firewalls, when an IPS is really a firewall with dynamically generated rule
set. Most of use would agree that an internal office network requires a
firewall between it and the Internet. The firewall normally only has a
static rule set that basically only guarantees that TCP virtual circuits
have correct TCP semantics and , for application gateways, that the traffic
follows the protocol RFC.  Most attacks these days are not at the layer
2/layer 3 level guarded by a firewall, but at layer 7 or above, using the
fact that Application protocols like HTTP, FTP, SMTP etc. have enough holes
in them that a perfectly standards conforming stream can be used to attack a
host at the end of the stream.
  Most IDS are still installed by people who don't even understand TP/IP,
let alone HTTP, or the proprietary stuff coming from Real Networks or
Microsoft. How are they going to properly tune an IDS to avoid wasting a lot
of time and effort on false positives or, conversely, ignoring everything so
the IDS has no teeth.
  So most IDS systems are a waste of money. They may be useful if they are
installed by a MSSP who actually understands security, but not by the
average sysadmin handed another box and told to install the IDS because the
auditors say we need one.

From: Anton Chuvakin <anton () chuvakin org>
Date: 2003/06/13 Fri AM 11:29:51 EDT
To: focus-ids () securityfocus com
Subject: Rather funny; looks like page defacement to me

All,

This link posted on the snort site. I figured I'd send it to the list,
since its a fascinating read.

http://www.gartner.com/5_about/press_releases/pr11june2003c.jsp

My first impression was that it is a page defacement, so outrageous some
claims are. For instance, did you know that IDS actually _cause_ incident
response to happen? :-) Or this gem : "Money Slated for Intrusion
Detection Should Be Invested in Firewalls"?

Best,
--
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org

--------------------------------------------------------------------------

-----

INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and

analysis

- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges,

and Requirements" at:

http://www.securityfocus.com/IntruVert-focus-ids2
--------------------------------------------------------------------------

-----




----------------------------------------------------------------------------
---
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and
analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges,
and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
----------------------------------------------------------------------------
---



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Current thread:

Re: Rather funny; looks like page defacement to me, (continued)
- Re: Rather funny; looks like page defacement to me Jerry M. Howell II (Jun 14)
- Re: Rather funny; looks like page defacement to me Michael Sierchio (Jun 17)
- Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
- Re: Rather funny; looks like page defacement to me George W. Capehart (Jun 17)
- Gartner comments (was Re: Rather funny; looks like page defacement to me) Randy Taylor (Jun 17)
- Re: Rather funny; looks like page defacement to me broyds (Jun 14)
  - RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Mike Lyman (Jun 17)
    - RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Jim Butterworth (Jun 17)
    - RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me) Angel Rivera (Jun 17)
  - RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
    - Re: Rather funny; looks like page defacement to me Bill Royds (Jun 17)
    - RE: Rather funny; looks like page defacement to me Roger A. Grimes (Jun 17)
  - Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 17)
    - Re: Rather funny; looks like page defacement to me Paul Schmehl (Jun 17)
    - Re: Rather funny; looks like page defacement to me Bill Royds (Jun 18)
    - Re: Rather funny; looks like page defacement to me Callan K L Tham (Jun 18)
  - Re: Rather funny; looks like page defacement to me Robert Huber (Jun 18)
- RE: Rather funny; looks like page defacement to me InfoSec (Jun 17)