IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrushield vs. ISS once more...

From: Thomas Ptacek <tqbf () arbor net>
Date: Wed, 5 Jan 2005 10:24:19 -0500
Regarding "psychic packet capture" (an aptly named feature):
If it's such an interesting and useful feature, one wonders why Robert Graham hasn't simply built it yet. It's not particularly hard. 

Let me take a stab:
On a medium-large network we expect to see in the neighborhood of 10kfps. Assume a mean packet size of 300 bytes, and we're occupying 150 megs of resident memory.
This of course assumes no overlap; that connections terminate instantaneously. They don't. Assume that half the connections last a second, half those remaining live into the next second, and decay from there. Now we need 300 megs of resident memory to keep 50 bytes for every active connection. 

Double these numbers if you're tracking both sides of the connection.
On a network running at 10kfps a loaded sensor probably does interesting memory management (or runs in the kernel) just to deal with the memory latency from maintaining connection state --- not packet contents, just connection stats --- for all those connections. Keeping contents incurs a memory copy. Does your existing system copy raw packets manually into DRAM after they've been DMA'd into a receive buffer?
Can this be done? I'm sure it can (though not in those Miss Cleo Perl scripts you're referring to): you can buy systems that will promise to copy all packets onto DISK. Why haven't you seen it in your IDS already? 

Probably because it isn't very useful.

For instance:
A system like Lancope's (statistical anomalies) doesn't generate alerts based on individual packets or even individual connections. It's detecting rate shifts based on time. This is detection based on context (useful for some things, don't get me wrong). What's the likelihood that the forensic information you're actually looking for is contained in the 15kB of data associated with the connection that happened to trip a threshold?
I'd probably have to concede that the feature is more useful in signature systems, where detection is atomic with respect to connections. But then I'd have to ask: 

How hard do you think a system like this would be to attack?
I await my smackdown from Rob Graham or Mike Frantzen or Mike Stolarchuk or whoever... 

On Dec 31, 2004, at 4:16 AM, Maynor, David (ISS Atlanta) wrote:


Lancope product called Therminator. It incorporates a process they call
"psychic packet prediction." This attempts to maintain a certain buffer
of every connection. I can't remember the number; I think 50 packets or
so. When something in that buffer causes an alarm the entire buffer is
saved so not only do you get the packets that caused the alarm, you get
a certain amount ahead and behind it. This helps with forensics greatly. 


---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: