RE: IDS event filtering

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Billy,

Patrick is right; filtering can be good...and bad. What
I have seen happen too many times is that someone turns
off their alerts for say slammer, and add 10 new developers
who install MSDN and you have 10 unpatched new MSDE instances
clogging your pipes. Or the fully-patched IIS web server
gets reloaded in the middle of the night as part of
trouble-shooting a corrupt metabase; within 15 minutes
you now have a new remotely managed system on your network.

I think there are a few ways to filter; the effectiveness
and scalability of each depend on the size of your enterprise
and the time you have on your hands:

1. Correlation of security event with vuln scanner data. ISS's
Fusion does this. Several SEM vendors (e.g.-Arcsight) claim
to do this.

2. Tuning of ruleset known vs. unknown. The beauty of snort
are her variables flexibility; you can create known-patched-sql
vs. rest-of-network vars and ignore or alert priority accordingly.

This is risky to me b/c you never know that was is patched
stays patched (unless you're small and doing it yourself).

3. Correlation of known-platforms vs. signature variables.
Sourcefire does this in a backend database now. RNA can let
you know that the server being attacked by Code Red is Apache
so you can filter out that noise. RNA is fairly accurate in
detection. Nevo does something like this but I haven't looked
at in over a year so not sure if any backend IDS correlation.

4. Holy grail of NIDS: auto-tune your sensors based upon either
scanner data or passive fingerprinting. Sourcefire is going this
way with RNA on the passive fingerprinting front. I don't know
anyone auto-tuning off of scan data yet.

Scanners get more accurate and detailed data than passive finger-
printing in most ways, and usually require less $ investment
and less change to infrastructure to use than passive finger-
printing. Downside to scanning is that it's non-real-time,
usually much slower data collecton process, and can be invasive.

5. Spreadsheet: Operationalize prioritization with a list of
what "should be patched" vs. unknown. Deprioritize alerts on
systems that should be patched (as above) and have someone
kick off a patch auditor to verify, perhaps next am, etc.

Unknown systems showing attack/response should get immediate
response and investigation.

I can't believe I'm reading this list for the first time in
weeks, and on NYE. Bad bad bad. Good luck, Happy New Year all,

Arian 

> -----Original Message-----
> From: Harper, Patrick [mailto:Patrick.Harper () phns com] 
> Sent: Friday, December 31, 2004 3:32 PM
> To: CraftedPacket () securitynerds org; focus-ids () lists securityfocus com
> Subject: RE: IDS event filtering
>
>  
> *** PGP SIGNATURE VERIFICATION ***
> *** Status:   Unknown Signature
> *** Signer:   Unknown Key (0xDBEFE07F)
> *** Signed:   12/31/2004 3:31:26 PM
> *** Verified: 12/31/2004 6:46:06 PM
> *** BEGIN PGP VERIFIED MESSAGE ***
>
> Thresholding is a wonderful thing.  And no, I personally do not want
> to see alerts on tings I do not have.  If I am an all apache shop
> then I do not turn on any IIS rules.  I also make sure, via scanning
> and vulnerability analysis, that I do not in fact have any IIS (or
> whatever) installed.  You first need to have a good inventory of what
> you have.  And you need to keep that up to date so you always know
> what you have.  Then you trim all rules to that.  Weather it be
> ingress - egress firewall rules, IDS configs, or whatever.  Figure
> out what you have, learn how it flows (and make it work/flow the
> secure way) then monitor it. 
>
>  
> -----Original Message-----
> From: Billy Dodson [mailto:CraftedPacket () securitynerds org] 
> Sent: Friday, December 31, 2004 9:37 AM
> To: focus-ids () lists securityfocus com
> Subject: IDS event filtering
>
> I am wanting to get an idea of what you guys out there filter from
> your
> IDS sensors.  Some of the sensors I monitor get TONS of events for
> MSSQL
> control overflows.  If the customer is patched for slammer and does
> not
> have any SQL services on the internet, is it safe to filter out those
> events?  Do you still want to see that traffic even though you know
> your
> are not vulnerable?  Thanks!
>
> ----------------------------------------------------------------------
> ----
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from 
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> ----------------------------------------------------------------------
> ----
>
>
>
>
>
> *** END PGP VERIFIED MESSAGE ***
>
>
>
>
> Disclaimer:
> This electronic message, including any attachments, is 
> confidential and intended solely for use of the intended 
> recipient(s). This message may contain information that is 
> privileged or otherwise protected from disclosure by 
> applicable law. Any unauthorized disclosure, dissemination, 
> use or reproduction is strictly prohibited. If you have 
> received this message in error, please delete it and notify 
> the sender immediately. 
>
>
>
>
> --------------------------------------------------------------
> ------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world 
> attacks from 
> CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------
> ------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQdX22jw+XG8chAQiEQLxdwCg4YiSXOANOTBvv1M8nuk9n67aPpAAoLqP
56vHzMxa3lrK+QCc/GQirgFs
=zW8L
-----END PGP SIGNATURE-----



The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------