IDS mailing list archives
Re: Intrushield vs. ISS once more...
From: Thomas Ptacek <tqbf () arbor net>
Date: Wed, 5 Jan 2005 10:24:19 -0500
Regarding "psychic packet capture" (an aptly named feature):If it's such an interesting and useful feature, one wonders why Robert Graham hasn't simply built it yet. It's not particularly hard.
Let me take a stab:On a medium-large network we expect to see in the neighborhood of 10kfps. Assume a mean packet size of 300 bytes, and we're occupying 150 megs of resident memory.
This of course assumes no overlap; that connections terminate instantaneously. They don't. Assume that half the connections last a second, half those remaining live into the next second, and decay from there. Now we need 300 megs of resident memory to keep 50 bytes for every active connection.
Double these numbers if you're tracking both sides of the connection.On a network running at 10kfps a loaded sensor probably does interesting memory management (or runs in the kernel) just to deal with the memory latency from maintaining connection state --- not packet contents, just connection stats --- for all those connections. Keeping contents incurs a memory copy. Does your existing system copy raw packets manually into DRAM after they've been DMA'd into a receive buffer?
Can this be done? I'm sure it can (though not in those Miss Cleo Perl scripts you're referring to): you can buy systems that will promise to copy all packets onto DISK. Why haven't you seen it in your IDS already?
Probably because it isn't very useful. For instance:A system like Lancope's (statistical anomalies) doesn't generate alerts based on individual packets or even individual connections. It's detecting rate shifts based on time. This is detection based on context (useful for some things, don't get me wrong). What's the likelihood that the forensic information you're actually looking for is contained in the 15kB of data associated with the connection that happened to trip a threshold?
I'd probably have to concede that the feature is more useful in signature systems, where detection is atomic with respect to connections. But then I'd have to ask:
How hard do you think a system like this would be to attack?I await my smackdown from Rob Graham or Mike Frantzen or Mike Stolarchuk or whoever...
On Dec 31, 2004, at 4:16 AM, Maynor, David (ISS Atlanta) wrote:
Lancope product called Therminator. It incorporates a process they call "psychic packet prediction." This attempts to maintain a certain buffer of every connection. I can't remember the number; I think 50 packets or so. When something in that buffer causes an alarm the entire buffer is saved so not only do you get the packets that caused the alarm, you geta certain amount ahead and behind it. This helps with forensics greatly.
--- Thomas H. Ptacek // Product Manager, Arbor Networks (734) 327-0000 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- RE: Intrushield vs. ISS once more... Maynor, David (ISS Atlanta) (Jan 03)
- Re: Intrushield vs. ISS once more... Thomas Ptacek (Jan 06)
- Re: Intrushield vs. ISS once more... Dennis Cox (Jan 06)
- Re: Intrushield vs. ISS once more... Adam Powers (Jan 08)
- Re: Intrushield vs. ISS once more... Thomas Ptacek (Jan 10)
- Re: Intrushield vs. ISS once more... Mike Frantzen (Jan 08)
- <Possible follow-ups>
- RE: Intrushield vs. ISS once more... Murtland, Jerry (Jan 03)
- Re: Intrushield vs. ISS once more... Chris Brown (Jan 04)
- Re: Intrushield vs. ISS once more... Chris Mills (Jan 06)
- Re: Intrushield vs. ISS once more... Jason (Jan 06)
- Re: Intrushield vs. ISS once more... Jason (Jan 06)
- RE: Intrushield vs. ISS once more... Chris Brown (Jan 06)
(Thread continues...)
- Re: Intrushield vs. ISS once more... Thomas Ptacek (Jan 06)