IDS mailing list archives
Re: IDS detection approaches
From: "Sec urity" <security () brvenik com>
Date: Tue, 9 Oct 2007 12:18:42 -0400
On 10/5/07, Nelson Brito <nbrito () sekure org> wrote:
I do agree that SNORT is one of the most popular when you are learning about IDS, but it is possible to attack the IDS engine in a very easy way: 1) evasion; 2) DoS; 3) Flse Positive; 4) you name it... That isn't a SNORT's weakness, it is a technology limitation: pattern matching. This is very easy to take advantage of the pattern itself - in bad sense...
There are few commercial IPS products that stand up to informed scrutiny as well as Snort. Too bad many commercial black box vendors are allowed to claim something other than reality. What leads you to believe that other vendors are not simple signature engines or are some how superior? A perfect example to look at is https://strikecenter.bpointsys.com/articles/2007/06/19/ips-evasion-with-the-apache-http-server And still to this day there are variations of this method that continue to evade. \x0cGET /whatever/you/want HTTP/1.0\r\n\r\n This is an easy target that recently got updated in the _signature_ packs of one vendor that claims to be other than a fast regex engine.
I think the best approach is when vendors get the knowledge of how the vulnerabilties work, istead of how the exploits exploit the vulnerability. This is so reactive that any new exploit / worm variant will require a new signature. Keep in mind that when you know how the vulnerability can be exploited is better than know how so many exploits works, but it is not that easy! A signature database based on pattern is easier but gives you worng sense of protection, and this worse than no protection. That said, IMHO, anomaly detection + signature database based on vulnerabilties + behavior detection + any other approach other than pattern means BETTER SECURITY / PROTECTION. My 2 cents.
Do not underestimate the value of signatures in protocol modeling. Especially when it is backed by a rules language that allows for full protocol state tracking and analysis. All protocols have patterns, these patterns are often identifiable by signatures. This is perhaps why people often confuse the snort rules language with a purely signature based engine. That perception could not be farther from the truth. In a simple form there are a few components that come together to facilitate far more sophisticated analysis. 1) Preprocessors - These are best described as protocol normalizers, generally employed when protocols have multiple representations that need to be accounted for. They can also be used for crypto, behavioral, and anomaly based detection in a faster way than rules can support alone. 2) Signatures - These are your standard pattern matching methods generally employed 3) Rules - These allow you to do the really cool things with traffic analysis without writing code. EG: - Find the field marker for buffer size denoted by the pattern |03 04 06 FE| - At the end of the marker, take four bytes and interpret them as an int - Jump that many bytes forward in the payload - From that position find the op code for open file - At the open file op code location test the value of file size, if it is greater than 128 there is a vulnerable condition. There is not enough space in this mail to get into multipacket analysis, arbitrary protocol state tracking, target based reassembly, application modeling, white listing, tokenized bait, input validation... Snort itself is much much more than a signature engine, please do not continue to confuse hobbyist works (simple signatures for snort) with actual capabilities and professional application.
Nelson Brito (nbrito () sekure org) Senior IPS Engineer & Pen-tester -----Original Message----- From: frankfrydrych () gmail com Sent: Thursday, October 04, 2007 11:29 PM To: focus-ids () securityfocus com Subject: Re: IDS detection approaches Hola, I would completely go with a signature based IDS. Anomaly based IDS will not give you the greatest results. For signature base I highly recommend SNORT. It is probably one of the best IDS out there. Now I'm not just saying this as a "ooh open source is the best". I truely believe this. I actually use to be a huge Cisco buff and just dealt with Cisco IDS. However, at my current job I am a security analyst and have to analyze events from Cisco, IIS, Juniper, etc, and SNORT beats them all. Mainly for the fact that you are able to see the packet payload and are able to make the decision if something is malicious based on the actual payload and not just the signature that is triggered (like some IDS). Also, when a new threat emerges usually SNORT users will create a signature to combat the threat. The other vendors create the signatures for you and it usually ends up to be like 3 months after the threat was actually a realistic threat. And on top of it the vendor signatures usually give out huge amount of false positves. Then again, an IDS is only as good as who tunes it. If you take
A
NY IDS and turn it on in a production network you will have so many false positives I garuntee you will miss actual threats. Every IDS (including SNORT) has to be tuned for the production network it is on. Finally, make sure to place the IDS behind the firewall. If you place it in front of the firewall you will receive so much traffic that it is just not valuable data. You have a firewall, so let the firewall do its job and block the already known bad activity, and catch what gets through the firewall with a IDS. -FF
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: IDS detection approaches, (continued)
- Re: IDS detection approaches frankfrydrych (Oct 05)
- Re: IDS detection approaches Gary Halleen (Oct 09)
- Re: IDS detection approaches Randal T. Rioux (Oct 12)
- Re: IDS detection approaches Gary Halleen (Oct 12)
- Re: IDS detection approaches Gary Halleen (Oct 09)
- Re: IDS detection approaches jean-philippe luiggi (Oct 09)
- Re: IDS detection approaches Adam Powers (Oct 09)
- RE: IDS detection approaches 'Merigoth' (Oct 09)
- Re: IDS detection approaches Liran Cohen (Oct 15)
- Oracle XDB FTP Kanagasingham, Prathaben (Oct 26)
- Re: IDS detection approaches frankfrydrych (Oct 05)
- RE: IDS detection approaches Nelson Brito (Oct 09)
- Re: IDS detection approaches Sec urity (Oct 09)
- RE: IDS detection approaches Nelson Brito (Oct 10)
- Re: IDS detection approaches Sec urity (Oct 10)
- Message not available
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Sec urity (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 12)
- Re: IDS detection approaches Jason (Oct 12)
- RE: IDS detection approaches Nelson Brito (Oct 15)
- Re: IDS detection approaches Jason (Oct 15)
- Re: IDS detection approaches Sec urity (Oct 09)