Re: FW: IDS Signature Confidence

[Vipul Kumra <secureskillz () yahoo com>]

There can be different approaches to detect a DOS
attack when using IDS.

It depends upon what type of DOS attack you are trying
to prevent e.g. a DOS attack can be accomplished by
sending a large number of packets so as to overwhelm
the system, thus causing it to stop servicing
legitimate request. The other way could be to just
sending a single packet that causes a buffer overflow
in some application so that it hangs or terminates
(which will again lead to a DOS situation).

Now to tackle the second case where a single packet
can do enough harm, we can write a signature to drop
that packet by just looking at its contents. 

For detecting the first case there can be counter
based signatures. The counter based category of IDS
attacks are the ones that are detected if packets
containing certain characteristics are seen repeatedly
in the network. The attack is confirmed if “n” numbers
of packets containing a specified characteristic are
seen in the network within “t” time. The counter based
attacks typically cause a denial of service to other
genuine packets in the system, by flooding the
resource that other genuine packets in the system are
also attempting to use. For this reason, the counter
based attacks are also called “Denial of Service
Attacks”.

Proper testing of the signature should be done to find
out a near accurate false positive and false negative
ratio.  


Vipul






> -----Original Message-----
> From: Raffael Marty [mailto:raffy () raffy ch]
> Sent: Tuesday, June 21, 2005 4:30 AM
> To: focus-ids () lists securityfocus com
> Subject: IDS Signature Confidence
>
>
> I was thinking about this following problem: Assume
> you have an NIDS
> signature looking for DoS attacks. In most of the
> cases I don't trust the
> NIDS reporting on a DoS attack. A lot of the DoS
> sigs just look at
> some bytes on the wire and tell me that there is a
> DoS attack going
> on. However, I need some more evidence that my
> services are indeed not
> accessible anymore.  Some signatures on the other
> hand are very specific
> and you can trust them with whatever they report.
> Now this brings me to my question:  How do you guys
> decide how much
> confidence you put in a certain IDS signature? And I
> am not talking
> about prioritizing the event. I am talking about
> assigning a "success"
> or "possible success" to signatures.
>
>   -raffy
>
>
> --
>   Raffael Marty, GCIA, CISSP                    
> raffael.marty () arcsight com
>   Senior Security Engineer                    
> Content Team @ ArcSight Inc.
>   5 Results Way             Cupertino, CA 95014     
>         (408) 864-2662
--------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with
> real-world attacks from 
> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
--------------------------------------------------------------------------
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------