Re: How to choose an IDS/FW MSS provider

[Prashant Khandelwal <safepacket () gmail com>]

See Comments inline 

-Prashant 

On Thu, 17 Mar 2005 10:03:00 -0500, Andre Ludwig <andre.ludwig () gmail com> wrote:
<Snip>
> I would also like to add this simple question (and answer) to the mix.
>
> What is the best way to evade an IDS?
>
> Knowing what it looks for...
>
> Open sigs for an IDS/IPS does more harm then good (for the majority) IMO.
</Snip>
 
I totally agree up on that .. But another problem of having closed
signature is that it cannot be customized for reducing false positives
which was the other part of this debate!! the solution  for the
problem woulb be some thing intermediate  as you suggested ..

<Snip>
> IE a SKILLED attacker wants to attack my network, and i use an ids
> that has an open sig set.   Via posts on various mailing lists the
> attacker has worked up a probability matrix of what products are being
> used for IDS/IPS.  So happens that those products have an open
> signature set.  Now all the attacker has to do is look at what those
> systems deficiencies are (be it from a technical stand point, be it
> from a sig stand point) and modify his attack to circumvent the
> product that is put in place.
>
> Those opens sigs sure did help in evading the protection put in place.
>
> The best option IMO is having a skilled R&D team who is on the edge of
> what is out there, a closed signature set, and the ABILITY to add your
> own SIGNATURES from other sources (be it snort based rules only or
> snort based rules + vendor based rule framework).   All of a sudden
> you then have the best of both worlds.
</Snip>

Thats a good idea indeed but  it might not turn to  be cost and  time
effective  as this requires lot of expertise and  efforts . In a
longer run this may be painful IMHO.

 The usual practice  for implemeting the IPS , and one of the good
intermediate way which perhaps everybody follows  to over come close
sigs/false +ves  problem is to implement the IPS in sniffer mode(to
act as IDS) initially in your environment and study the flase
positives and then report it to the respective Vendor . That would be
a test agains the vendors support also :-).Once you feel every this is
fine the same can be put in to the inline mode (thats what most
vendors too recommend) but at the same time  if your vendor support
aint good you are left clueless !! . . With some vendors having there
framework already laid for writing custom signatues .. the IDS/IPS can
be tuned perfectly for your envirnment :-)

<Snip>
> Oh and simple pattern matching is crap, there needs to be an
> abstraction layer above the pattern matching that says "apply this
> pattern if the following criteria have been meet  {syn syn ack syn ack
> *pattern* rst}" or something along those lines that are exploit
> specific, be it flow information or protocol level flags or features.
</Snip>

Very True.. ahh  but thats why ppl like to have Open sigs perhaps !!
at the same time if you are  security conscious  then you gotta be
paranoid / you will  prefer closed sigs .
I know i have written self contradicting statements but this is what i think.

-Prashant

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------