RE: IDS alerts / second - Correlation - Virtualization

[Sanjay Rawat <sanjayr () intoto com>]

Yes..this is point i also raised earlier that it is not feasible to define 
what is legitimate traffic (in replying to Devdas). it is all context 
dependent. we should go one more level deeper and should take help of 
correlations of other events. like (for example) any DoS attack (flooding 
in particular) is succeeded  if it can either consume the bandwidth or 
consume all CPU time for that service (i m excluding buffer overflow method 
to crash the system) network or a system and act accordingly. in this way, 
we are trying to capture the states which are necessary to be present if 
the attack indeed to happen.

At 01:45 AM 7/27/2005, Swift, David wrote:
> And how would you propose to block something you can't detect?
>
> IPS actions are always on patterns of data, either packet level, or
> based on anomalous behavior (statistical, historical, protocol...).
>
> To argue otherwise is incomprehensible.
>
> Arguments that you should define only acceptable behaviors allowed are
> also nonsensical.
>
> Unless you create a protocol based proxy with a VERY limited set of
> actions allowed, and for only specific Operating systems and
> applications, it would be impossible to define all the possible packets
> and sequences.
>
> This is the English language equivalent of defining all known words, and
> allowed combinations of words in any length from a single word to the
> compressed library of congress and only allowing those patterns you have
> chosen to allow through. The allowed set would be irrationally large,
> and impossible to code in a cost effective, throughput efficient manner.
>
> Creative and ill-intended people are continuously finding new
> combinations that operating systems and applications respond improperly
> to.
>
> RDP is an allowed protocol to Windows. A Null Session is perfectly
> legitimate to Windows operating system.  CAT /ETC/PASSWD is a perfectly
> valid Unix command.
>
> But I certainly would not allow any of these through my security device.
>
> -----Original Message-----
> From: Nathan Davidson [mailto:ndavidso () globix com]
> Sent: Tuesday, July 26, 2005 4:13 AM
> To: Swift, David; Frank Knobbe
> Cc: focus-ids () securityfocus com
> Subject: RE: IDS alerts / second - Correlation - Virtualization
>
>
> David Swift said:
>
> "By nature, any IPS has to do IDS first.
> You have to detect before you can block.
> Therefore the number of IDS events will dramatically exceed the number
> of IPS events. IPS will always be a subset of IDS."
>
> David, I am sorry to be terse with you, but I have never heard such a
> non-cohesive argument.
>
> If you take a proper IPS, and by that I don't mean an IDS that has been
> re-jigged into an IPS for marketure purposes; it should perform
> SYN-cookies or SYN-proxying, followed by Layer 2 checks, followed by a
> firewall policy, followed by rate limiting and Layer 4 checks before it
> bothers to do anything at Layer 7.
>
> As we all know Layer 7 is computationally expensive so a well designed
> IPS will always reduce the amount of traffic at Layer 2-4 prior to
> applying IDS signatures.
>
> "Also, please note than many vendors (iPolicy included), are using
> correlation tools to tune the system to the deployed network.
> ...
> Then the data is fed back into the IPS engine and Firewall to
> intelligently turn on signatures to block events that the protected
> network is vulnerable to, firewall unwanted ports, and ideally to turn
> off alerting for events the protected network is not vulnerable to."
>
> This is IMHO very risky, you are presuming that your scanner has picked
> up all the apps/vulnerabilities that exist in your network and knows
> their relationship to any assigned policy items. Why not just block all
> access known to be malicious or pointless? That would be an in-line
> blocking IPS (or if you like, a firewall that has such features).
>
>
>
>
>
> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us]
> Sent: Friday, July 22, 2005 4:39 PM
> To: Nathan Davidson
> Cc: focus-ids () securityfocus com
> Subject: RE: IDS evaluations procedures
>
> On Sat, 2005-07-16 at 12:42 -0400, Nathan Davidson wrote:
> > To make things easier to compare let us say that the IPS and IDS have
> > the SAME signatures/policy and they both identify all of the malicious
> > traffic:
> >
> > The IPS will create 10 alerts/sec
> > The IDS will create 100 alerts/sec
>
> Uhm... then the IDS is not configured properly.
>
> IPSes seem to filter proactively, that means based on assumptions. It
> assumes that your server is vulnerable against xyz and blocks it. But
> the server doesn't have to be vulnerable.
>
> You can deploy an IDS as an ADS, that is, Attack Detection System. As
> such it would alert on every xyz packet that look suspicious and which
> the IDS thinks may cause harm to your server.
>
> But you can also deploy an IDS as an ...well... Intrusion Detection
> System. Configured like that, it doesn't make assumptions and doesn't
> care if it sees xyz hitting the server. It cares what the server
> responds with to xyz. If it detects an abnormal response, or outright
> hostile traffic (i.e. signature of a botnet c&c channel join), then it
> issues an alert, and only then.
>
> Given that, the math is as follows:
>
> ADS: 100 alerts /sec
> IPS: 10 alerts /sec
> IDS: 1 alert /incident
>
> I think the IDS has a much higher security ROI (oops, I said the evil
> word) than an IPS.
>
> The IPS is a broad-sword. The IDS, properly deploy and managed, is a
> sensitive detector, not a noisy alarm bell. It doesn't alert on every
> thrust of a sword, it only alerts when you bleed.
>
> Regards,
> Frank
>
> PS: I sometimes wonder if the I-have-more-alerts-than-you-stick-waving
> in the IDS market contributed to the misuse of IDS systems....
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
> ------------------------------------------------------------------------
>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>
> to learn more.
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------

Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 423
Website : www.intoto.com
  Homepage: http://sanjay-rawat.tripod.com






------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------