IDS mailing list archives
RE: IDS event filtering
From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Fri, 31 Dec 2004 19:03:22 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Billy, Patrick is right; filtering can be good...and bad. What I have seen happen too many times is that someone turns off their alerts for say slammer, and add 10 new developers who install MSDN and you have 10 unpatched new MSDE instances clogging your pipes. Or the fully-patched IIS web server gets reloaded in the middle of the night as part of trouble-shooting a corrupt metabase; within 15 minutes you now have a new remotely managed system on your network. I think there are a few ways to filter; the effectiveness and scalability of each depend on the size of your enterprise and the time you have on your hands: 1. Correlation of security event with vuln scanner data. ISS's Fusion does this. Several SEM vendors (e.g.-Arcsight) claim to do this. 2. Tuning of ruleset known vs. unknown. The beauty of snort are her variables flexibility; you can create known-patched-sql vs. rest-of-network vars and ignore or alert priority accordingly. This is risky to me b/c you never know that was is patched stays patched (unless you're small and doing it yourself). 3. Correlation of known-platforms vs. signature variables. Sourcefire does this in a backend database now. RNA can let you know that the server being attacked by Code Red is Apache so you can filter out that noise. RNA is fairly accurate in detection. Nevo does something like this but I haven't looked at in over a year so not sure if any backend IDS correlation. 4. Holy grail of NIDS: auto-tune your sensors based upon either scanner data or passive fingerprinting. Sourcefire is going this way with RNA on the passive fingerprinting front. I don't know anyone auto-tuning off of scan data yet. Scanners get more accurate and detailed data than passive finger- printing in most ways, and usually require less $ investment and less change to infrastructure to use than passive finger- printing. Downside to scanning is that it's non-real-time, usually much slower data collecton process, and can be invasive. 5. Spreadsheet: Operationalize prioritization with a list of what "should be patched" vs. unknown. Deprioritize alerts on systems that should be patched (as above) and have someone kick off a patch auditor to verify, perhaps next am, etc. Unknown systems showing attack/response should get immediate response and investigation. I can't believe I'm reading this list for the first time in weeks, and on NYE. Bad bad bad. Good luck, Happy New Year all, Arian
-----Original Message----- From: Harper, Patrick [mailto:Patrick.Harper () phns com] Sent: Friday, December 31, 2004 3:32 PM To: CraftedPacket () securitynerds org; focus-ids () lists securityfocus com Subject: RE: IDS event filtering *** PGP SIGNATURE VERIFICATION *** *** Status: Unknown Signature *** Signer: Unknown Key (0xDBEFE07F) *** Signed: 12/31/2004 3:31:26 PM *** Verified: 12/31/2004 6:46:06 PM *** BEGIN PGP VERIFIED MESSAGE *** Thresholding is a wonderful thing. And no, I personally do not want to see alerts on tings I do not have. If I am an all apache shop then I do not turn on any IIS rules. I also make sure, via scanning and vulnerability analysis, that I do not in fact have any IIS (or whatever) installed. You first need to have a good inventory of what you have. And you need to keep that up to date so you always know what you have. Then you trim all rules to that. Weather it be ingress - egress firewall rules, IDS configs, or whatever. Figure out what you have, learn how it flows (and make it work/flow the secure way) then monitor it. -----Original Message----- From: Billy Dodson [mailto:CraftedPacket () securitynerds org] Sent: Friday, December 31, 2004 9:37 AM To: focus-ids () lists securityfocus com Subject: IDS event filtering I am wanting to get an idea of what you guys out there filter from your IDS sensors. Some of the sensors I monitor get TONS of events for MSSQL control overflows. If the customer is patched for slammer and does not have any SQL services on the internet, is it safe to filter out those events? Do you still want to see that traffic even though you know your are not vulnerable? Thanks! ---------------------------------------------------------------------- ---- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ---------------------------------------------------------------------- ---- *** END PGP VERIFIED MESSAGE *** Disclaimer: This electronic message, including any attachments, is confidential and intended solely for use of the intended recipient(s). This message may contain information that is privileged or otherwise protected from disclosure by applicable law. Any unauthorized disclosure, dissemination, use or reproduction is strictly prohibited. If you have received this message in error, please delete it and notify the sender immediately. -------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------- ------------
-----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQdX22jw+XG8chAQiEQLxdwCg4YiSXOANOTBvv1M8nuk9n67aPpAAoLqP 56vHzMxa3lrK+QCc/GQirgFs =zW8L -----END PGP SIGNATURE----- The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: IDS event filtering Stef (Jan 03)
- <Possible follow-ups>
- RE: IDS event filtering dcdave (Jan 03)
- Re: IDS event filtering Reto Baumann (Jan 03)
- Re: IDS event filtering Jeff Kell (Jan 03)
- Re: IDS event filtering M. Dodge Mumford (Jan 03)
- RE: IDS event filtering Evans, Arian (Jan 03)
- Message not available
- RE: IDS event filtering (NeVO comments) Ron Gula (Jan 04)
- Message not available
- RE: IDS event filtering Phil Hollows (Jan 03)
- RE: IDS event filtering Ofer Shezaf (Jan 04)
- RE: IDS event filtering Phil Hollows (Jan 06)
- RE: IDS event filtering Phil Hollows (Jan 06)
- RE: IDS event filtering Ofer Shezaf (Jan 17)