IDS: Re: Cisco CTR

[Martin Roesch <roesch () sourcefire com>]

On Dec 1, 2003, at 9:17 PM, Eric Hacker wrote:

> Martin Roesch wrote:
>
> > This is an interesting point and worth debating I think.  Accuracy is 
> > a tricky thing in passive and active systems, on the one hand active 
> > systems get to send what ever stimuli they want to elicit a response, 
> > but when they're wrong about their interpretation of the results 
> > they're 100% wrong and depending on the circumstances of the error 
> > they may give you information that's 100% wrong with 100% confidence 
> > (i.e. false positives/negatives).
> > Passive systems have more time to play with and therefore can 
> > introduce the concept of variable confidence levels and integrating 
> > data points over time ranges, but they are data driven and have to 
> > wait for the hosts/services/protocols/etc to reveal themselves.  In 
> > the context of how accurate the two methods are, I think it'll be 
> > interesting to see just how accurate passive systems can be versus 
> > the false positive/negative rate of active methods.
> There is no requirement that active VA systems produce a result based 
> on a single stimuli-response cycle. The fact that they do is a 
> weakness in product design and not active probes in general.
I agree, but then we get into sample sets and sample frequency and a 
variety of other interesting topics related to "how many times do I 
have to poke this guy to be sure about info nugget XYZ".  I smell 
research paper... :)
> I like what I'm hearing about passive VA tools and how they can 
> complement active VA. What I can't figure out is how I could get 
> passive sensors deployed anywhere near the entire environment. I have 
> IDS requirements for only a small part of the overall network and even 
> a relatively small section of the server farms. I have VA requirements 
> everywhere some idiot has access to a network jack.
It depends on the level of visibility you need into your network 
environment, more visibility = more sensors (or at least more taps).  
It also depends on what kind of hosts you're interested in, for example 
same-subnet traffic, extra-subnet traffic, or internet-bound traffic.  
What we're seeing is that lower sensor concentrations give you a nice 
view of your more "static" (non-moving) hosts and short period 
visibility into your mobile IP pools.  Having passive change 
analysis/discovery triggering active probes is another option, of 
course.
     -Marty


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
---------------------------------------------------------------------------