IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: Prashant Khandelwal <safepacket () gmail com>
Date: Mon, 21 Mar 2005 12:35:30 +0530
See Comments inline -Prashant On Thu, 17 Mar 2005 10:03:00 -0500, Andre Ludwig <andre.ludwig () gmail com> wrote: <Snip>
I would also like to add this simple question (and answer) to the mix. What is the best way to evade an IDS? Knowing what it looks for... Open sigs for an IDS/IPS does more harm then good (for the majority) IMO.
</Snip> I totally agree up on that .. But another problem of having closed signature is that it cannot be customized for reducing false positives which was the other part of this debate!! the solution for the problem woulb be some thing intermediate as you suggested .. <Snip>
IE a SKILLED attacker wants to attack my network, and i use an ids that has an open sig set. Via posts on various mailing lists the attacker has worked up a probability matrix of what products are being used for IDS/IPS. So happens that those products have an open signature set. Now all the attacker has to do is look at what those systems deficiencies are (be it from a technical stand point, be it from a sig stand point) and modify his attack to circumvent the product that is put in place. Those opens sigs sure did help in evading the protection put in place. The best option IMO is having a skilled R&D team who is on the edge of what is out there, a closed signature set, and the ABILITY to add your own SIGNATURES from other sources (be it snort based rules only or snort based rules + vendor based rule framework). All of a sudden you then have the best of both worlds.
</Snip> Thats a good idea indeed but it might not turn to be cost and time effective as this requires lot of expertise and efforts . In a longer run this may be painful IMHO. The usual practice for implemeting the IPS , and one of the good intermediate way which perhaps everybody follows to over come close sigs/false +ves problem is to implement the IPS in sniffer mode(to act as IDS) initially in your environment and study the flase positives and then report it to the respective Vendor . That would be a test agains the vendors support also :-).Once you feel every this is fine the same can be put in to the inline mode (thats what most vendors too recommend) but at the same time if your vendor support aint good you are left clueless !! . . With some vendors having there framework already laid for writing custom signatues .. the IDS/IPS can be tuned perfectly for your envirnment :-) <Snip>
Oh and simple pattern matching is crap, there needs to be an abstraction layer above the pattern matching that says "apply this pattern if the following criteria have been meet {syn syn ack syn ack *pattern* rst}" or something along those lines that are exploit specific, be it flow information or protocol level flags or features.
</Snip> Very True.. ahh but thats why ppl like to have Open sigs perhaps !! at the same time if you are security conscious then you gotta be paranoid / you will prefer closed sigs . I know i have written self contradicting statements but this is what i think. -Prashant -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: How to choose an IDS/FW MSS provider, (continued)
- Re: How to choose an IDS/FW MSS provider Peter Schawacker (Mar 16)
- Re: How to choose an IDS/FW MSS provider Mark Teicher (Mar 16)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- RE: How to choose an IDS/FW MSS provider Palmer, Paul (ISSAtlanta) (Mar 16)
- RE: How to choose an IDS/FW MSS provider THolman (Mar 16)
- Re: How to choose an IDS/FW MSS provider Sasser (Mar 19)
- Re: How to choose an IDS/FW MSS provider Mark Teicher (Mar 16)
- RE: How to choose an IDS/FW MSS provider THolman (Mar 16)
- RE: How to choose an IDS/FW MSS provider Andrew Plato (Mar 16)
- Re: How to choose an IDS/FW MSS provider Andre Ludwig (Mar 19)
- Re: How to choose an IDS/FW MSS provider Prashant Khandelwal (Mar 24)
- Re: How to choose an IDS/FW MSS provider Andre Ludwig (Mar 19)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 19)
- RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 19)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 19)
- Re: How to choose an IDS/FW MSS provider Mark Teicher (Mar 19)
- Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 19)
- Re: How to choose an IDS/FW MSS provider Mark Teicher (Mar 24)
- Re: How to choose an IDS/FW MSS provider Devdas Bhagat (Mar 28)
- Re: How to choose an IDS/FW MSS provider Martin Roesch (Mar 19)
- RE: How to choose an IDS/FW MSS provider Nigel Lewis (Mar 19)
- RE: How to choose an IDS/FW MSS provider Sergey V Soldatov (Mar 19)
- RE: How to choose an IDS/FW MSS provider Jason Baeder (Mar 19)