gmane.comp.security.ids

Re: Ideal IDS/IPS

2011-06-07T13:45:29

I'll take a stab!

I would say there are two sorts of audiences for IDS/IPS: Those who care and those who want it to run on its own with as little care and feeding as possible. For those that care, I'm not actually all that concerned about false positives as I think a good analyst team should always go through the manual tuning process themselves so they learn what their environment feels like, but also determine for themselves the amount of noise they want to see. Sometimes a rise or lull in noise is an indication of something strange.


Signature visibility - Essentially if there is an alert, I want to know definitively why it triggered, whether a sig or statistics or whatever. I don't want to ever guess.

Traffic visibility - I don't want to call my IPS a full content capture tool, but I would like to see complete-enough traffic captures to match up why an alert came up. As a bonus, it might be nice to manually trigger a realtime capture just to see if a system is still spewing weird things or to p

Re: Ideal IDS/IPS

Michal Zalewski — 2011-06-06T06:28:45

And a pony!

/mz

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Ideal IDS/IPS

Nikhil Manampady — 2011-06-06T06:49:23

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Ideal IDS/IPS

snort user — 2011-06-02T03:20:48

What would we like to have in an ideal IDS/IPS system? I am not
restricting the list to existing approaches such as signature based,
anomaly based, statistical or specification based IDS. Just trying to
get the wish list sort of. Any feedback is much appreciated.

Low false negatives   - maximize detection and prevention of
intrusions, detect zero day attacks, detect variations
Low false positives   - don't waste analyst time
Ease of use           - installation and configuration
Low resource usage    - minimize resource usage, degrade gracefully
when resource usage exceeds limits
High Performance      - good scalability with increasing network speeds
Stability, Robustness - no crashes, and resistance to attacks againt IDS
Minimal ongoing maintainence - Run with minimal human supervision

Thanks

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an S

pytbull, an IDS/IPS Testing Framework

Sebastien Damaye — 2011-05-24T05:05:23

Hi,

I thought you might be interested in pytbull (http://pytbull.sourceforge.net).

pytbull is an Intrusion Detection/Prevention System (IDS/IPS) Testing
Framework for Snort, Suricata and any IDS/IPS that generates an alert
file. It can be used to test the detection and blocking capabilities
of an IDS/IPS, to compare IDS/IPS, to compare configuration
modifications and to check/validate configurations.

The framework is shipped with about 300 tests grouped in 9 testing modules:

- clientSideAttacks: this module uses a reverse shell to provide the
server with instructions to download remote malicious files. This
module tests the ability of the IDS/IPS to protect against client-side
attacks.
- testRules: basic rules testing. These attacks are supposed to be
detected by the rules sets shipped with the IDS/IPS.
- badTraffic: Non RFC compliant packets are sent to the server to test
how packets are processed.
- fragmentedPackets: various fragmented payloads are sent to server to
test its ability to recompose them

Deployed Grid based Intrusion Detection System solutions??

Mayank.2.Bhatnagar — 2011-05-09T08:43:05

Hi all,

Just wanted to know which are the deployed and currently used Grid based IDS systems.
I have heard about some academic projects, but since could not get further updates, so positing here.

Distributed IDS systems, evolving to serve high computing and networked Grids, are they being trusted and channelized by all grid participating members....i am sure there must be unique challenges, but how far have we reached, can any one kindly share their views.

Thanks & Regards,
Mayank 


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: host sensors needed?

2011-05-04T20:40:42

As I am sure you could have predicted, my answer is that it depends. There are more security options available in a HIDS solution that you won't find when using the tools that you mention in your post such as being able to do behavioral analysis of the software executing on the server. For example, you can deny certain executables from running in a directory where it isn't expected, block all executables from running in temp directories, home directories, etc. As with any software there is a learning curve so it is best to start out with HIDS running in "learning" mode which you can tune over time. 
When looking at defense in depth, go for a mixture of signature-based (IDS, AV) along with heuristic or behavior-based tools. Hope this helps.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely colle

host sensors needed?

Shang Tsung — 2011-04-20T11:02:33

I know there is no clear answer to the below question, but I would
like to have some views and opinions.

We are considering whether to install Host IDS Sensors on webservers.
Having them is better security for sure. However, does the added
security worth the extra cost and burden to the server/network?

Before the traffic reaches the webservers, it passes from a Network
IDS Sensor, a Network Firewall, and a Web Application Firewall. This
is why we are not sure whether another layer is worth the trouble?

Thanks,
ST

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Installing Snort in Proventia GX

susurros07 — 2011-04-08T06:11:43

Hi All,

I have to quit my little project. I still think that its possible to
do it but i dont have the time to realize it.
Thanks for your interest.

Sergio

On Fri, Apr 8, 2011 at 7:05 AM, Laurens Vets <laurens< at >daemon.be> wrote:

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Installing Snort in Proventia GX

Mark Teicher — 2011-04-06T15:54:12

are you repurposing an IBM Proventia IDS with snort. You need to be able to check the bios to boot from CD and should go from there 



On Apr 5, 2011, at 6:59 AM, sergio delgado <susurros07< at >gmail.com> wrote:


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: Installing Snort in Proventia GX

Laurens Vets — 2011-04-06T16:05:49

Hello,


Which exact model is it?

It will probably work, the Proventia firmware is based on linux anyways 
(RedHat I think).

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Installing Snort in Proventia GX

sergio delgado — 2011-04-05T10:59:04

Hi All,

I am thinking in install a new Linux Distribution in  a Proventia IDS.
 I don't find any documentation, have anyone tried?

Thanks,

Sergio


P.D: Sorry about my english, i will thank you if you find any mistake.

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

New Tool: 'Patriot NG 2.0'

Yago Jesus — 2011-02-23T02:40:46

Patriot is a 'Host IDS' tool which allows real time monitoring of
changes in Windows systems and Network attacks.

Patriot monitors:
Changes in Registry keys: Indicating whether any sensitive key
(autorun, internet explorer settings...) is altered.
New files in 'Startup' directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs,
configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes,
PortScan detection...)
Files in critical directories (New executables, new DLLs...)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)

Homepage: http://www.security-projects.com/?Patriot_NG

Cheers

---------------------------------

Re: IDS causing troubles

Ichilov — 2011-02-19T03:47:11

How about using a different network element for gaining a bit of both?

There are devices that can dynamically change their role. They can behave as
taps allowing detection only on the IPS side and can forward the traffic
through the IPS (as with inline implementation). Using such device allows
your IDS/IPS be in a "local out-of-path" environment during peace time, thus
reducing the chances of network problems caused by the IPS and avoiding the
additional latency. When attack is detected traffic can be diverted to pass
through the IPS and be blocked/dropped/mitigated/etc. 

Of course the a main con with such environments is that a single packet
event cannot be addressed by blocking/dropping. However, RST sending race is
still relevant, as mentioned in this thread. 

--
 - Ichilov

Re: IDS causing troubles

Joel Esler — 2011-02-18T14:51:16

It's not a problem, don't take it like that, I just view it as important to education those that may not be aware of the terminology that is in play.



This is STILL an effective method against scanners and scripts.  However, unfortunately, most of the attacks have turned client side now, and the game has changed.

Joel


--
Joel Esler
http://www.joelesler.net


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Re: IDS causing troubles

Curt Purdy — 2011-02-18T14:49:33

Did not realize you were with Sourcefire Joel, would not have been so
'harsh' in my comments. Give my regards to Martin.

FWIW, it was Snort that forced me to create the world's first SIM in
2000, when I could not stand the false positives, and decided to put
all my servers in the top 128 of a class A and nothing but honeypots
in the bottom 128 and only monitor  it. Every time I got an alert, I
knew I had bagged a cracker.

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
infosysec< at >gmail.com
purdy< at >tecman.com



On Fri, Feb 18, 2011 at 9:28 AM, Joel Esler <joel.esler< at >me.com> wrote:

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;50

Re: IDS causing troubles

Joel Esler — 2011-02-18T14:28:35

Fair enough, (and I doubt I'm too young), however, back then, there was no difference.  There is now.  

When ISS RealSecure first starting coming out with the technology of sending RST packets, I remember people called it IPS back then too.  When tools that auto-blocked at firewalls started coming out, they called it IPS, when IPS without a failopen came along, people called it an IPS.  However, if we look at the landscape now, I argue that it's different and we wouldn't call IPS the same thing anymore.  Which is why I didn't.

I think it's important to understand not only where we've been, but where we are, and where we are going.  I work in the IPS industry (Sourcefire) as I am sure many others on this list do as well, and it's important (at least to me) that people understand the distinction.  I get the reaction all the time that "IPS doesn't work, because all it does is send RST packets", which in fact IPS is now a very mature technology.

I think it's important to understand the difference in the techn

Re: IDS causing troubles

Curt Purdy — 2011-02-18T14:21:23

If this were a literary list, we could argue semantics till the cows
come home Joel. But being an information security list let's stick to
technology. You may be too young to remember the very first Intrusion
'Protection' System that was not in-line at all. It was simply an IDS
that added ACLs to the firewall to block the grievous party. Everyone
accepted the developer's term 'IPS'.

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
infosysec< at >gmail.com
purdy< at >tecman.com



On Tue, Feb 15, 2011 at 10:23 AM, Joel Esler <joel.esler< at >me.com> wrote:

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

[ISECOM-HACKERHIGH] Sharpen Your Security Skills!

Pete Herzog — 2011-02-15T18:35:28

Hi,

There are 2 new seminars available next month held at the Troopers 
conference in Heidelberg, Germany, starting March 28.

"Smarter Safer Better" is for anyone, really anyone, who wants to 
understand how the human mind works to make better trust and security 
decisions. Think of it as the ultimate security awareness class where 
you are first aware about YOU and how to sharpen those instincts. It's 
an eye-opening experience! See 
http://www.troopers.de/troopers11/agenda/smarter-safer-better-workshop/

"OSSTMM 101" is that class for everyone who just couldn't get through 
reading the whole OSSTMM 3 but really wants to know about it and how 
to it gets applied. See 
http://www.troopers.de/troopers11/agenda/osstmm-101-workshop/

Both classes are taught by me, Pete Herzog and are each 1 day long. 
Check out the Troopers agenda for more details:
http://www.troopers.de/troopers11/agenda/

Then you can sign up and register here: https://www.troopers.de/sign-up/

It's a great venue and these will be great sem

RE: IDS causing troubles

Matthew Fitzgerald — 2011-02-15T16:08:16

Just to chime in about potential problems at the physical layer.  I've seen these type of problems on numerous occasions.  At the trivial extreme there may exist a NIC duplex mismatch or speed mismatch, or in the case of all NICS set to auto-auto, the devices can have issues negotiating the speed/duplex.  I think generally the guidance out there will tell you to nail up the ports on both sides but this isn't a solution in all cases.  At the more complex extreme there are many port stats that can indicate subtle issues.  Corrupt packets, out of sequence packets, retransmits, or dropped packets can all mean a field-day for an IPS.

You would think this would be picked up relatively quickly but it's a recurring issue in my world.  It's important to know that this sort of negotiation/renegotiation may only present itself under heavy traffic volume or a specific type of traffic (MTU issues and so on).  What's more is that upon investigation, the stats on a port on one side of the connection may look relatively cl

Re: IDS causing troubles

Joel Esler — 2011-02-15T15:25:15


You might want to clarify this statement a bit more, for instance, there are tap vendors that make devices called "Vmode" taps, which is essentially an inline tap, the traffic goes through the tap, and sent through an IPS, however if the IPS fails, the vmode tap "fails open" sending the traffic straight through.  

This may be what you meant about a bypass switch, but just clarifying the terminology.


--
Joel Esler
http://www.joelesler.net


-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194