RE: IDS Signature Confidence

[Mark Teicher <mht3 () earthlink net>]

Nick/Dan, (must have a split personality or you have worked with to many bi-polar PHD security consultants or former 
"Cyber Investigators)

My comments on earlier posts could have contained a bit of complex gobbly-gook, it all depends on how the IPS is 
configured on a particular network environment and how effective a particular set of intrusion detection 
signatures/protocol decodes under certain network conditions.
  
If utilizing a Local Management Interface or Centralized Management Console, based on the default security policies or 
custom security policies a designated security administrator utilizes (i.e monitor for known attacks, anomalies, DDos, 
or specialized applications (Web, E-Commerce).  

Within each set of security policies will include a set number of signatures/protocol decodes that might have been 
quickly tested for effectiveness in a particular environment with x number of packets per second, etc, and also 
depending if the IPS is capable of being configured in either tap mode, inline mode or just monitor mode only.  Within 
each given configuration, a IPS speed of analysis will be greatly affected or may not depending on the vendor's 
implementation/architecture using commodity based hardware or specialized hardware. Regardless of how fast a particular 
IPS is really shouldn't be the issue, but how effective a particular IPS is against a defined set of attacks and 
whether the local management interface or centralized management console receives the information in a timely fashion.  
Those statistics should then be used as a variable in calculating IDS Signature Confidence within a given enterprise or 
business environment.  

Mileage may vary from network to network due to percentage of real network traffic that a particular IPS is placed 
against.


THolman () toplayer com rigorously showed:
> If a DoS attack is made up of valid traffic, then a NIDS signature 
> isn't going to pick it up.
> You need to establish whether or not incoming traffic from individual 
> IPs meets acceptable transaction rates, and this is really a job for a 
> rate-based IPS.

This seems a stunningly narrow view of a "signature"; I'm surprised to see the source (I generally find myself nodding 
and smiling as I read your posts!) Snort's "rate" and "burst" keywords provide a (simplistic) rate limiting as an 
obvious example. By making available more information from one's connection tracking, etc to the signature language, 
"signatures" can be used quite effectively to detect DoS patterns of the type you describe.

Essentially, if a "signature" can both a) access all state available to the I[DP]S, and b) be expressed to the 
signature engine using a language strong enough to describe arbitrary [0] operations on this state, it's as powerful as 
any other code the system could employ (All hail the Church-Turing thesis!) If an IPS provides signature writers just 
as much flexibility as it does core designers to perform detection, is that a rate-based IPS or a sig-based IPS? I'm 
appalled that these terms are still bantered about when languages could be getting fixed instead.

Mark Teicher made a similar point earlier in the thread, but that post suffered from being far too readable and 
containing a paucity of complexity theory gobbledygook :).

[0] for values of "arbitrary" bounded by "recursively enumerable", of course, but we're among friends.

-- 
nick black          "np:  the class of dashed hopes and idle dreams."


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------